Starting June 27th, a new variant of the Petya ransomware, also known as Petrwrap, Not Petya and exPetr, spread internationally to several businesses. Ukraine, Russia and Western Europe were among those that needed to go offline. More than 2,000 attacks took place with the help of the Windows SMBv1 vulnerability that the WannaCry ransomware attacks utilized. Unlike WannaCry, Petya does not encrypt files one by oone on a targeted machine or system. Instead, Petya reboots the victim's machine and encrypts the hard drive's master file table (MFT). The master boot record (MBR) is rendered inoperable therefore, restricting access to the full system by seizing information on file names, sizes, and location on the physical disk. Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot. Researchers at Symantec say they have confirmed the ransomware is using the Eternal Blue exploit. The malwares capabilities include the following: network surveying, password extraction, and file decryption.
Schneider is currently assessing impact.
Schneider Electric recommends customers with supported systems check with their designated supoort portals first before executing the following to prevent this attack:
For More Information
- Immediately apply the Microsoft patch for the MS17-010 SMB vulnerability:
- Based upon guidance from your product support team, you may want to consider disabling SMB v1 file-sharing protocol.
- Ensure you have up-to-date backups. This alone is the most effective way to recover from a ransomware attack.
- Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail.
- Configure access controls including file, directory, and network share permissions with least privilege in mind.
- Inform and educate your employees to identify scams, malicious links, and social engineering attempts.
Ensure all other cyber-defenses are up-to-date. If you are unclear then seek engagement with the Industrial Cybersecurity Services team: https://www.schneider-electric.com/b2b/en/services/field-services/industrial-automation/industrial-cybersecurity/industrial-cybersecurity.jsp
To obtain full details on the issues and assistance on how to protect your installation, please contact your local Schneider Electric representative. These organizations will be fully awate of the situation and can support you through the process.
For further information on vulnerabilities in Schneider Electric's products, please visit Schneider Electric's cybersecurity web page at https://www.schneider-electric.com/b2b/en/support/cybersecurity/overview.jsp