Nightmare on Petya Street

Just some notes for myself that others may also find useful:

Initial propagation allegedly Medoc auto updates, though vendor denies it

Image posted on twitter, attribution intentionally missing:

https://twitter.com/thedefensedude/status/879764193913716737

Good write up by Brian Krebs indicating how the malware obtained credentials to propagate
Mitigations:

Create c:\widows\perfc.dat and make it read only:

https://twitter.com/hackingdave/status/879779361364357121

Apply MS17-010 and disable admin$ shares via GPO

After reboot, system appears to be running fsck, but this is actually files being encrypted.  Shut the system down immediately if that happens to enable file recovery using a boot disk.

Leave a Reply

Your email address will not be published. Required fields are marked *