Wednesday 28 June 2017

Updated Advice for Petya Ransomware Outbreak


Urgent Threat Update Regarding Petya 
Ransomware Outbreak


Please be alerted that a new strain of ransomware is spreading fast based upon Petya which renders servers and machines useless. Comments on VirusTotal indicate the usage of the EternalBlue exploit but this has not yet been confirmed but is the likely entry point. The ransomware clears the windows event log using Wevtutil, writes a message to the raw disk partition and shuts down the machine.

Further companies have been affected today and advice has now been amended.  Please see the advisory below, point 3 is of particular importance.
Until further information is available we urge all our clients to:

1)   Test for back-ups today
2)   Make sure all patches have been deployed fully.  See below for the advice given by Microsoft in May regarding Wannacry and check that it has been implemented:



3) If affected, Customers are now advised to unplug the machines from the network and power down if infected.
Do Not switch the power back on as files may be recoverable if the encryption process has not yet begun. 
Attempting to pay the ransom does not work as the decryption process does not start.  The payment email address has been disabled.

4)    Advise all users to be extra vigilant for phishing attacks. 
5)     Call ZeroDayLab if they have any further concerns.

As ever, you can contact us on the following numbers in the event you have any concerns:
UK: 0207 979 2067
Manchester: 0161 883 2660
Ireland: +353 153 14575
Benelux: +31 208 085136

North America: 1-302-498-8322

Tuesday 27 June 2017

Urgent Advice for Latest Ransomware Attack Spreading Like Wannacry

 URGENT ADVISORY

PETYA RANSOMWARE


Please be alerted that a new strain of ransomware is spreading fast based upon Petya which renders servers and machines useless. Comments on VirusTotal indicate the usage of the EternalBlue exploit but this has not yet been confirmed but is the likely entry point. The ransomware clears the windows event log using Wevtutil, writes a message to the raw disk partition and shuts down the machine.

According to the BBC, Kiev's main airport appears to have been among the victims which include Ukraine's central bank, Maersk, Danish shipping company, Mondelez and DLA Piper. 
Until further information is available we urge all our clients to:

1)   Test for back-ups today

2)   Make sure all patches have been deployed fully.  See below for the advice given by Microsoft in May regarding Wannacry and check that it has been implemented:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


3)     If affected, users need to isolate and disconnect machines from the network and keep them   
        on.  They must not turn the power off.  

4)    Advise all users to be extra vigilant for phishing attacks. 

5)     Call ZeroDayLab if they have any further concerns.


As ever, you can contact us on the following numbers in the event you have any concerns:

UK: 0207 979 2067
Manchester: 0161 883 2660
Ireland: +353 153 14575
Benelux: +31 208 085136
North America: 1-302-498-8322