Facebook Google+ Twitter LinkedIn YouTube RSS メニュー 検索 リソース - ブログリソース - ウェビナーリソース - レポートリソース - イベントicons_066 icons_067icons_068icons_069icons_070

先進企業のためのPetya/NotPetyaランサムウェアの検出

A new version of the Petya malware is spreading globally, including the European Union, Ukraine and Russia. It has already impacted many organizations, both large and small, and has compromised systems at Ukraine’s central bank, its state telecommunications company, municipal metro, and Kiev’s Boryspil International Airport.

背景

Petya ransomware is powered by Shadow Brokers exploits, which were leaked earlier this year. After compromising a system, the malware encrypts the data using a private key, and prevents users from accessing the system until it is restored or decrypted. The initial infection vector for this campaign appears to be a poisoned update for the MeDoc software suite, a tax software package used by many Ukrainian organizations. The malware then infects systems that are vulnerable to MS17-010 and spreads laterally across the infrastructure.

注: The Petya malware creates a scheduled task which reboots up to one hour after infection. If the task is removed before execution, it does not reschedule, buying you some time.

Similar to the WannaCry ransomware that infected systems globally earlier this year, Petya takes advantage of known vulnerabilities that already have patches. In a world where malware threats arise every day, chasing daily threats is not advised. Organizations everywhere and of every size need a more strategic approach to proactively manage security threats (and protect themselves and their customers) by implementing good cyber hygiene practices, including regular patching, updates, backups, and continuous monitoring.

Tenable のソリューション

Patch vulnerabilities

Tenable customers should immediately patch systems vulnerable to MS17-010 if you haven’t already done so. Tenable.io™ Vulnerability Management has the following four plugins, released earlier this year, to detect vulnerable systems:

プラグインID Plugin Title/Comments Exploits

97737

MS17-010: Security Update for Microsoft Windows SMB Server (4013389)

ETERNALBLUE

ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY

WannaCry

EternalRocks

97833

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) uncredentialed check

ETERNALBLUE

ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY WannaCry

EternalRocks

Malware scan

Tenable customers can use the Malware Scan Policy in Tenable.io™ or SecurityCenter™ to detect machines infected with Petya, and the results will be reported under plugin 59275:

Plugin 59275 output

YARA detection

Tenable customers can also use YARA rules to identify infected systems through the Malicious File Detection Using YARA Nessus plugin.

Here’s a sample rule from Kaspersky which can be used with Nessus to detect the Petya malware :

Sample YARA rule for Nessus to detect Petya

ダッシュボード

The Petya dashboard uses all the available methods mentioned above to consolidate the data for easy understanding of the systems most likely affected or at risk from the malware. The components bring in netstats from Nessus and the Nessus Network Monitor, and also display the content related to missing patches associated with SMB vulnerabilities.

まとめ

ほとんどのランサムウェアは、既にパッチが入手可能になっている有名な脆弱性を利用します。定期的なパッチ適用とシステム更新を含む、プロアクティブなセキュリティプログラムは、システムのマルウェア感染を防止する最善の戦略の1つです。Make it a regular habit to patch and protect.

詳細情報

  • Learn more about Tenable.io, the first vulnerability management platform for all modern assets
  • Get a free 60-day trial of Tenable.io

このブログに協力いただいたTenableリサーチチームに感謝いたします。

Updated 2017年06月28日. Initial research suggested that CVE-2017-0199 was a potential infection vector; we are doing additional research into that issue.

Tenableブログを購読する

購読する
無料でお試し 今すぐ購入

Tenable.io Vulnerability Managementをお試しください

60日間無料

これまでにない精度で資産のすべてを見て追跡できる最新のクラウド型脆弱性管理プラットフォームにフルアクセスできます。さっそくご登録ください。60秒以内に最初のスキャンを実行できます。

Tenable.io Vulnerability Managementのご購入

これまでにない精度で資産のすべてを見て追跡できる最新のクラウド型脆弱性管理プラットフォームにフルアクセスできます。年間サブスクリプションを今日ご購入ください。

65件の資産

Nessus Professionalを無料で試す

7日間無料

Nessus®は今日、業界における最も包括的な脆弱性スキャナです。Nessus Professional により、脆弱性スキャンプロセスの自動化、コンプライアンスサイクルでの時間の節約、そして IT チームへの従事が実現できます。