Last week the latest ransomware worm is spread across the world. It encrypts files and demands a ransom payment in return for the decryption key.
This malware attack is commonly called “Petya” and, as a worm, it can spread from one computer to another without human intervention within a Windows network. As such, it targets organizational windows networks which are common in Healthcare. The initial infection appears to be via the EternalBlue malware that was used in WannaCry. It also may use the software updates from Ukrainian financial software vendor MeDoc, as well as MS Word documents containing malicious code.
The propagation within the local network is done using PsExec and WMI services. The result of infection is encryption of files and the Master Boot Record. Once an infected system has been encrypted, it should be restored from backup. It is not clear if payment of the ransom will result in a usable key.
To prevent this malicious software from infecting your systems, check the following.
- Ensure all systems have up to date patches. In particular, make sure that MS17-010 has been successfully install on all windows systems.
- Disable the utility called “psexec.exe”. This is often installed as a service. If possible, it should be disabled.
- Block the file C:\Windows\perfc.dat from running.
- Review information here on a potential vaccine. While this is not a kill switch, can can be useful in preventing an attack.
Unfortunately, once a system (or the network) has been infected, it may be too late and significant data loss is the likely outcome.
Please take a moment to attend to this risk by patching all systems, evaluating your vulnerabilities, deploying the vaccine, and training staff about suspicious files.
Please let us know if you have additional questions.