Ransomware - Petya
Date: 27 June 2017
The purpose of this alert is to bring attention to, and to provide guidance and mitigation advice for a large scale ransomware campaign.
CCIRC has become aware of a large ransomware campaign affecting multiple organizations worldwide. While complete details of the campaign are being analyzed, CCIRC is working with domestic and international partners to gain accurate awareness and knowledge of the campaign’s impact to provide the best detection and mitigation information possible.
This campaign appears to be distributing a variant of Petya ransomware. The initial infection vector remains unknown at this time. However, exploitation of the SMBv1 vulnerability described and patched in Microsoft Security Bulletin MS17-010 (links provided below) has been noted.
Ransomware can have an overwhelming effect on a network, whether it’s a home user, businesses, critical infrastructure or governments. Not only can it lead to loss of sensitive or proprietary information, but the disruption to regular operations, the financial loss and the potential harm to an organization’s reputation can be devastating.CCIRC strongly discourages paying the ransom as it does not guarantee that your data will be decrypted and may encourage further criminal activity. In addition, decrypting files does not mean the malware infection itself has been removed.
CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.
- Microsoft released patches in Support Bulletin MS17-010 to address the SMBv1 vulnerability dated March 14, 2017, with more details available in CCIRC Advisory AV17-068.
- Microsoft released for certain legacy/unsupported Windows versions, with more details available here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
- Consider disabling SMBv1 and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]. Developer guidance available here: https://support.microsoft.com/en-us/help/2696547
- Minimize the number of users with administrative privileges and revalidate frequently the requirement for users to have a privileged account.
- Consider enabling UAC (User Account Control) on Windows hosts throughout your network.
- Execute daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically execute a practice data restoration from backups, including key databases to ensure integrity of existing backups and processes.
- Ensure antivirus and gateway protections are up to date.
- Scan all incoming and outgoing e-mails to detect threats and prevent executable files from reaching the end users.
- Don’t open links or attachments in emails from untrusted or unknown sources. Inspect the sender address carefully as the address text may differ from the real address.
- CCIRC recommends that organizations ensure users receive current situational awareness and training, including instructions on how to report unusual or suspicious emails to their IT Security Branch. Reviewing departmental policies, requirements and security education and awareness training can help reduce this threat.
CCIRC Advisory AV17-068: Microsoft Security Updates MS17-010 (SMBv1)
Microsoft Security Bulletin MS17-010
CCIRC Information Note IN13-004: Ransomware
CCIRC Technical Report TR11-001: Malware Infection Recovery Guide
CSE: Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: