INFORMATION SECURITY ALERT: RISK Moderate - Petya Global Ransomware Alert

By: Rob Brennan

June 28, 2017

RISK: Moderate (loss or compromise of data)

You are no doubt aware, there is a particularly nasty ransomware virus variant spreading quite rapidly throughout the Internet.  This virus exploits vulnerabilities found within Windows-based PCs.  

Trend Micro Support Site:

A large-scale ransomware attack reported to be caused by a variant of the Petya ransomware is currently hitting various users, particularly in Europe. This variant, which Trend Micro already detects as RANSOM_PETYA.SMA, is known to use both the EternalBlue exploit and the PsExec tool as infection vectors. 

Ransomware viruses typically encrypt any data that they encounter (rendering the information unreadable) and subsequently require an extortion payment to be paid via an untraceable payment method (eg. Bitcoin) to regain access to the infected data files.  Western has seen ransomware attacks in the past, but nothing on this scale.  At this point, there are no active Petya attacks reported at Western, but there is a risk that today as the start of the week might trigger further attacks in North America.

WTS has reviewed our latest network scans and has confirmed that Western’s compliance rate for the required patch to mitigate this risk presently sits at 98%.   While this suggests a strong campus response to the threat, the potential still exists for an unpatched machine to be compromised in our environment.   WTS will continue to monitor the situation and has also verified that our network firewall (PaloAlto) has been configured to detect this attack from external (internet) sources.       

Actions Required:

  1. Please be careful when opening messages from unknown senders (or suspiciously titled messages from known acquaintances).  If you do not trust the message, please refrain from following links or opening documents found within - the virus payload isolated via compromised documents or links to malicious sites.  It is important to understand that should your system (PC or laptop) be affected, there is very little that can be done to retrieve files from this level of encryption, except to obtain the keys from the perpetrator(s).
  2. Please relay any reports of unusual PC activity or suspected system infections to the WTS Helpdesk and/or
  3. TUMS Administrators are also advised to review the latest Nessus scan results for all host machines that you are responsible for.   This data is available via RAMP (in the Nessus Scans tab).   

Thanks for your vigilance and attention to this important matter.  We will be actively following up with those who have machines on campus that are not patched sufficiently.

Published on  and maintained in Cascade CMS.