Palo Alto Networks beskytter mot Petya Ransomware

Tirsdag 27. juni ble flere organisasjoner, både offentlige etater og kritisk infrastruktur, angrepet av viruset Petya.

What happened:

On June 27, 2017, the Petya ransomware began impacting multiple organizations, including government and critical infrastructure operators. The attack appears to spread in a similar fashion to the May 2017 WanaCrypt0r/WanaCry attacks, likely using the ETERNALBLUE exploit tool to traverse the network via Microsoft Windows SMB protocol. Palo Alto Networks customers were automatically protected from Petya attacks with protections created, delivered and enforced across multiple elements of our Next-Generation Security Platform.

How the attack works:

While the initial infection vector is unclear, Petya likely attempts to spread to other hosts using the SMB protocol by exploiting the ETERNALBLUE vulnerability (CVE-2017-0144) on Microsoft Windows systems. This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017, and was addressed by Microsoft in March 2017 with MS17-010. Once a successful infection has occurred, the malware encrypts users’ systems and prompts demand of a $300 payment to return access. For detailed analysis on the Petya attack playbook, please see our blog from the Unit 42 threat research team.


Palo Alto Networks customers are protected through our Next-Generation Security Platform, which employs a breach prevention-based approach that automatically stops threats across the attack lifecycle. Palo Alto Networks customers are protected from Petya ransomware through multiple complementary prevention controls across the platform, including:

  • WildFire classifies all known samples as malware, automatically blocking malicious content from being delivered to users.
  • AutoFocus tracks the attack for threat analytics and hunting via the Petya tag.
  • Threat Prevention
    • Enforces IPS signatures (content release: 688-2964) for the SMB vulnerability exploit (CVE-2017-0144– MS17-010) likely used in this attack.
    • Blocks the malicious payload via “Virus/Win32.WGeneric.mkldr” and “Virus/Win32.WGeneric.mkknd” signatures.
  • GlobalProtect extends WildFire and Threat Prevention protections to ensure consistent coverage for remote locations and users.
  • App-ID should be employed to control usage of SMB traffic throughout the network, only enabling it where necessary, including disabling older versions of the SMB protocol that pose higher risk (e.g. SMBv1).

NOTE: We are continuously monitoring the Petya situation and will update this post with additional details on protections as they arise.

For best practices on preventing ransomware with the Palo Alto Networks Next-Generation Security Platform, please refer to our Knowledge Base article. We strongly recommend that all Windows users ensure they have the latest patches made available by Microsoft installed, including versions of software that have reached end-of-life support. For the latest on the Petya attack playbook, please see the Unit 42 post.