A major ransomware attack has impacted businesses throughout Europe, in an infection reminiscent of last month’s WannaCry attack. The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack.
The ransomware attack has affected operations at the Chernobyl nuclear power plant too, causing it to switch to manual radiation monitoring. Infections have also been reported in more isolated devices like point-of-sale terminals and ATMs.
The ransomware, apparently a variant of the Petya/Mischa/GoldenEye ransomware, seemed to be using both the ETERNALBLUE networking exploit developed by the NSA (and used by WannaCry) and a Microsoft Office/WordPad flaw discovered earlier this year.
We advise all businesses and organisations to patch immediately the following vulnerabilities : CVE-2017-0176, CVE-2017-0222, CVE-2017-0267 - CVE-2017-0280, CVE-2017-7269, CVE-2017-8461, CVE-2017-8464, CVE-2017-8487, CVE-2017-8543, CVE-2017-8552. Also, disable WMIC to stop lateral movement in your network.
Additionally, don’t wait and update your SMB protocol before it's too late. If you are running at least Windows 8 or Windows Server 2012, you can use the Set-SMBServerConfiguration in a PowerShell command session. This allows you to enable or disable the SMBv1, SMBv2 and SMBv3 protocols on the server component with a few keywords. However, the process is a bit more involved if you are using older Windows versions, and you might need to edit specific registry keys.
Find out more