Nightmare on Petya Street

Just some notes for myself that others may also find useful:

Initial propagation allegedly Medoc auto updates, though vendor denies it

Image posted on twitter, attribution intentionally missing:

Good write up by Brian Krebs indicating how the malware obtained credentials to propagate

Create c:\widows\perfc.dat and make it read only:

Apply MS17-010 and disable admin$ shares via GPO

After reboot, system appears to be running fsck, but this is actually files being encrypted.  Shut the system down immediately if that happens to enable file recovery using a boot disk.

Leave a Reply

Your email address will not be published. Required fields are marked *