Ransomware - Petya

Number: AL17-008
Date: 27 June 2017

Purpose

The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for a large scale ransomware campaign.

Assessment

CCIRC has become aware of a large ransomware campaign affecting multiple organizations worldwide.  While complete details of the campaign are being analyzed, CCIRC is working with domestic and international partners to gain accurate awareness and knowledge of the campaign’s impact to provide the best detection and mitigation information possible.

This campaign appears to be distributing a variant of Petya ransomware.  The initial infection vector remains unknown at this time.  However, exploitation of the SMBv1 vulnerability described and patched in Microsoft Security Bulletin MS17-010 (links provided below) has been noted.

Ransomware can have an overwhelming effect on a network, whether it’s a home user, businesses, critical infrastructure or governments.  Not only can it lead to loss of sensitive or proprietary information, but the disruption to regular operations, the financial loss and the potential harm to an organization’s reputation can be devastating.

CCIRC strongly discourages paying the ransom as it does not guarantee that your data will be decrypted and may encourage further criminal activity. In addition, decrypting files does not mean the malware infection itself has been removed.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

References

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: