What steps do I need to take to reduce the risk of infection?

Implement the best practices

Patch and update your systems, or consider a virtual patching solution.

Enable your firewalls as well as intrusion detection and prevention systems.

Proactively monitor and validate traffic going in and out of the network.

Implement security mechanisms for other points of entry attackers can use, such as email and websites.

Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.

Employ data categorization and network segmentation to mitigate further exposure and damage to data.

Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.

Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010.

Protect your organization using Trend Micro Products

Trend Micro recommends a layered security approach on endpoint, messaging, and gateway, to ensure that all potential entry and compromise points have protection against these types of threats:

Smart Scan Agent Pattern and Official Pattern Release: Trend Micro is in the process of adding known variant and component detections into the following patterns for all products that utilizes these patterns:

Smart Scan Pattern (TBL) - 17356.008.96 released on June 27 @ 4PM (GMT) with detection name of Ransom_PETYA.TH627
Smart Scan Agent Pattern and Official Pattern Release (conventional) - 13.499.00 with detection names of Ransom_PETYA.TH627 and Ransom_PETYA.SMA.

Please note that these patterns are the minimum recommended ones that contain protection for this threat -- however, due to new components and variants being discovered it is important that customers ALWAYS obtain the latest pattern files to ensure up-to-date protection. Also note that the minimum Scan Engine version needed for protection with the above patterns is 9.8x.

Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers that have the latest IPS rules may already have an updated layer of Virtual Patching protection for multiple Windows operating systems, including some that have reached end-of-support (XP, 2000, 2003) based on early reports that "EternalBlue" is one of the primary infection vectors. Specifically, Trend Micro released the following IPS rules for proactive protection against MS17-010 if you have not already applied Microsoft’s recommended patches:

Rules 1008224, 1008225, 1008228, 1008285, and 1008306 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities
In addition, the following rules may help to prevent potential lateral movement of the ransomware using PsExec: 1003222, 1006906, 1008327, 1008328, 1008422, and 1008423. Please note however, that some of these rules are not automatically enabled by the recommendation scan engine (default setting of the rule is “Detect-only”) and should be switched to “Prevent” mode based on whether these are feasible for your environment (see the screenshot below for more information).

Trend Micro Deep Discovery Inspector customers with the latest rules may also have an additional layer of protection against the vulnerabilities associated with the "EternalBlue" exploit. Specifically, Trend Micro has released the following official rule for proactive protection:

DDI Rule 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request)
DDI Rule 2441 - PsExec PETYA - Ransomware - SMB
In addition, the following rules help monitor potential lateral movement of PsExec: DDI Rules 35 and 1307

Trend Micro TippingPoint customers with the following filters may also have updated protection against "EternalBlue" (however, we are still researching infection and propagation vectors and will provide updates to this information as needed):

Mainline Filters 27931 and 27928 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities and attacks
Digital Vaccine (DV) Filter 28471 - May be configured to enforce generic policy at the network perimeter by blocking SMB v1 traffic (this is disabled by default).

Trend Micro Endpoint Application Control (EAC) administrators utilizing the product's "Lockdown" mode - which allows only pre-specified applications to run - also provides protection against this threat.

Trend Micro highly recommends that vendor critical patches are applied as soon as possible upon release. Customers and partners who may need some additional information or have questions are encouraged to contact their authorized Trend Micro technical support representative for further assistance.

Petya (2017) Ransomware Attack Information

Product / Version includes:

Deep Discovery InspectorAll , Deep SecurityAll , Worry-Free Business Security StandardAll , Worry-Free Business Security ServicesAll , Worry-Free Business Security AdvancedAll

Last updated: 2021/08/28

Solution ID: KA-0007571

Category: SPEC

Summary

Updated: July 10 @ 10:30 PM GMT

Trend Micro is closely monitoring the latest ransomware outbreak that has affected several organizations around the world. This ransomware is suspected to be a variant of "PETYA."

Technical details on this new threat can be found in the following:

TrendLabs Security Intelligence Blog: Large-Scale Ransomware Attack in Progress, Hits Europe Hard.
Trend Micro Security News: Frequently Asked Questions: The Petya Ransomware Outbreak

This article will be continually updated with new information on this threat.

What steps do I need to take to reduce the risk of infection?

Implement the best practices

Patch and update your systems, or consider a virtual patching solution.
Enable your firewalls as well as intrusion detection and prevention systems.
Proactively monitor and validate traffic going in and out of the network.
Implement security mechanisms for other points of entry attackers can use, such as email and websites.
Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
Employ data categorization and network segmentation to mitigate further exposure and damage to data.
Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010.

Protect your organization using Trend Micro Products

Trend Micro recommends a layered security approach on endpoint, messaging, and gateway, to ensure that all potential entry and compromise points have protection against these types of threats:

Smart Scan Agent Pattern and Official Pattern Release: Trend Micro is in the process of adding known variant and component detections into the following patterns for all products that utilizes these patterns:
- Smart Scan Pattern (TBL) - 17356.008.96 released on June 27 @ 4PM (GMT) with detection name of Ransom_PETYA.TH627
- Smart Scan Agent Pattern and Official Pattern Release (conventional) - 13.499.00 with detection names of Ransom_PETYA.TH627 and Ransom_PETYA.SMA.
Please note that these patterns are the minimum recommended ones that contain protection for this threat -- however, due to new components and variants being discovered it is important that customers ALWAYS obtain the latest pattern files to ensure up-to-date protection. Also note that the minimum Scan Engine version needed for protection with the above patterns is 9.8x.
Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers that have the latest IPS rules may already have an updated layer of Virtual Patching protection for multiple Windows operating systems, including some that have reached end-of-support (XP, 2000, 2003) based on early reports that "EternalBlue" is one of the primary infection vectors. Specifically, Trend Micro released the following IPS rules for proactive protection against MS17-010 if you have not already applied Microsoft’s recommended patches:
- Rules 1008224, 1008225, 1008228, 1008285, and 1008306 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities
- In addition, the following rules may help to prevent potential lateral movement of the ransomware using PsExec: 1003222, 1006906, 1008327, 1008328, 1008422, and 1008423. Please note however, that some of these rules are not automatically enabled by the recommendation scan engine (default setting of the rule is “Detect-only”) and should be switched to “Prevent” mode based on whether these are feasible for your environment (see the screenshot below for more information).
Trend Micro Deep Discovery Inspector customers with the latest rules may also have an additional layer of protection against the vulnerabilities associated with the "EternalBlue" exploit. Specifically, Trend Micro has released the following official rule for proactive protection:
- DDI Rule 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request)
- DDI Rule 2441 - PsExec PETYA - Ransomware - SMB
- In addition, the following rules help monitor potential lateral movement of PsExec: DDI Rules 35 and 1307
Trend Micro TippingPoint customers with the following filters may also have updated protection against "EternalBlue" (however, we are still researching infection and propagation vectors and will provide updates to this information as needed):
- Mainline Filters 27931 and 27928 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities and attacks
- Digital Vaccine (DV) Filter 28471 - May be configured to enforce generic policy at the network perimeter by blocking SMB v1 traffic (this is disabled by default).
Trend Micro Endpoint Application Control (EAC) administrators utilizing the product's "Lockdown" mode - which allows only pre-specified applications to run - also provides protection against this threat.

Additional Information

Below is additional technical information on the known variants and components of this ransomware attack:

Trend Micro Blogs

TrendLabs Security Intelligence Blog: Large-Scale Ransomware Attack in Progress, Hits Europe Hard
Trend Micro Security News: Frequently Asked Questions: The Petya Ransomware Outbreak
Trend Micro Simply Security Article: The Law of Unintended Outbreak – Who Is at Risk from Petya?

3rd Party Information

US-CERT Advisory:
https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Petya (2017) Ransomware Attack Information

What steps do I need to take to reduce the risk of infection?

Protect your organization using Trend Micro Products

Additional Information

Petya (2017) Ransomware Attack Information

Product / Version includes:

Summary

What steps do I need to take to reduce the risk of infection?

Protect your organization using Trend Micro Products

Additional Information