Following the world wide Petya ransomware attack that started on Tuesday Maintel technical personnel have been working continuously to ensure that our systems and customer installations are fully protected against this threat. Petya targets some of the weaknesses that Wannacry exposed therefore some of the fixes and best practices from that threat apply here and also note that Petya is only designed to propagate across a LAN. As a result we confirm that:
- Maintel IT server systems, desktops and laptops (including our mobile engineers) are patched regularly for Microsoft updates via our WSUS servers and are up to date including the necessary patches against this threat.
- Our antivirus systems update as soon as patches become available so are always at the latest patch level.
- All ICON Connect, ICON Communicate, and ICON Secure Infrastructure and customer solutions are patched and protected.
- All Icon Communicate solutions have also been tested to verify that the applications are running correctly.
- All central management and monitoring servers have been patched.
- All relevant network connections have been checked to ensure that we are not only patched but also have no points of injection for this threat through our central Support firewall infrastructure which is used to secure customer and supplier connections.
We are currently validating with our support partners to ensure that they also are up to date and protected.
We are constantly monitoring various sources to ensure that we are up to date with any changes or updates relative to this threat and will continue to do so until the situation stabilises and the attack vectors are fully understood.
This issue has the full attention and support from Maintel Board level and continues to be addressed with the utmost urgency.
Recommended customer best practice
Maintel advise the following steps be performed in order to contain the propagation of the Petya malware:
- If you have supported Microsoft Operating systems then ensure they are patched regularly and ensure you deploy patch MS17-010
Please note that some software vendors only have limited support for Microsoft patching:
- Avaya Last two major releases (including current release)
- Mitel Current release only has design support for MS patching
This means that if a Microsoft patch update stops the voice system working then there is no vendor support to rectify this beyond these releases. We have seen this in the past but be aware that we have successfully patched Mitel systems from version 6 through 8 (although this does not guarantee there will be no issues in future).
- Upgrade or remove legacy unsupported Windows OS wherever possible, however if you have to run these OS then a new patch has been made available for legacy platforms, and is available here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- To vaccinate your computer so that you are unable to get infected with the current strain of Petya, simply create an empty text file called perfc (no file extension) in the Windows folder and ensure it is read only. This effectively stops the attack from infecting your machine but note that this file needs to be in every windows machine in the %WINDIR% folder. If you type SET at a command prompt you will see a WINDIR variable which tells you where this is located e.g. C:\Windows.
- On supported Windows OS, disable SMBv1 in Windows and Windows Server. There is guidance here: https://support.microsoft.com/en-us/help/2696547
- If you have unsupported operating systems (XP or Server 2003) these OS’s only support SMB v1 therefore disabling SMB v1 will block any SMB reliant services used by these machines.
- Wherever possible block SMBv1 ports [UDP 137, 138 and TCP 139, 445] on all network boundary devices.
- Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.
- If you suspect a machine may be infected then where possible ensure Petya propagation can be prevented by shutting down vulnerable systems on the LAN.
- Antivirus vendors are increasingly becoming able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).
Recommended Steps for Remediation
- We encourage you to contact National Cyber Security Centre for their latest guidance and/or Cyber Security Information Sharing Partnership (CiSP) upon discovery to report an intrusion and gain any available assistance. Maintain and provide relevant logs.
- Implement your security incident response and business continuity plan. Ideally, organisations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
Defending Against Ransomware Generally
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinise links contained in emails, and do not open attachments included in unsolicited emails.
- Only download software—especially free software—from sites you know and trust.
- Enable automated patches for your operating system and Web browser.