Protecting Yourself from Petwrap or NotPetya or Petya

Watching news stories this morning on national media, it seems that the public feels somewhat helpless in how to defend themselves from the latest ransomware onslaught, Petya/NotPetya/Petwrap. “Shouldn’t the NSA be held responsible for protecting us from an exploit they invented?” asked an anchor person on a prominent morning news show. The expert on the discussion panel didn’t respond, instead of fueling the FUD machine, as national media is often want to do.

Protecting from Petya NotPetya Petwrap.jpg

I speculated that this type of attack would happen when Wannacry hit last month. It’s rare that a security professional would expose the Windows SMB port to the Internet, Wannacry’s initial entry point into a network, but once malware is inside your network that exploit is available everywhere and an excellent choice for propagation. I thought that using Phishing as an initial entry point would be more effective for threat actors, and sure enough, that’s what Petya is doing: Phishing as an initial entry, then SMB to further propagate.

How do you defend yourself against Petya/Petwrap/NotPetya?

First and foremost, educate your users about phishing. Phishing training is available as a cloud service and is very effective – Threatsim, acquired by Wombat, comes to mind -- but there are some tips that you can copy to your user base regarding things to look for in an email that should make them suspect it’s a Phishing attempt:

  • Email mismatch is a big clue. If “Simple Name <local-part@domain-name>” doesn’t match, it’s not only fishy, it’s likely phishy.  An example would be “John Doe <anon135!>”.
  • Prompting to change credentials should raise suspicions. Your IT Team or bank is doubtful to request that you perform such an insecure practice.
  • The presence of MS Office data files should raise suspicions, even if the email appears to be from someone you know. There are more secure ways to share information.
  • A threat is issued unless the requested action (i.e. click-through) is performed. Examples are “or risk your account being locked out” or “charges will be automatically billed.”

If a user falls for the Phishing attempt, what then?  If you don’t have Endpoint Protection Products (EPP) in place, you should seriously consider it. Examples are Carbon Black, CrowdStrike, and Cylance. They can prevent malware from executing once present on a user machine or server.

You should consider using a Managed Security Service Provider (MSSP). Consider the value-add that CIPHER’s MSSP actions brought to the table immediately after the Petya/NotPetya/Petwrap attack hit the news:

  • Inform clients as to the nature of the risk with reliable details about how Petya/NotPetya/Petwrap spreads, i.e. first through Phishing, then through SMB exploit, based on analysis from our research team
  • Create rules for multiple SIEM products for AV, Firewall, AD Object Access, and EPP products
  • Created IPS/IDS signatures to look for Indicators of Compromise
  • Provide a list of malicious IP addresses specific to the threat and configure firewalls to block them
  • Provide a hash for use with Endpoint Protection products to ban files involved in the infection and propagation
  • Provide associated filenames and email addresses
  • Create rules for multiple SIEM products for AV, Firewall, AD Object Access, and EPP products
  • Checked IPS ruleset for JBoss rules that would apply
  • Provided link to MS SMB Update that removes that vulnerability
  • Provided a sandbox for the use of our clients to determine infection

If all else fails, consider that if you pay the ransom, you encourage subsequent attacks like this by monetizing the threat actor’s efforts. Hopefully, you have good backups that you can rely on – rebuild servers, re-image laptops, and roll the backups back onto the machines.

Contact us here, if you need to get through the Petya/Petwrap/NotPetya storm with consulting assistance.

Future Proof Your Ransomware Defenses Whitepaper


Did you enjoy this blog article? Share it with your peers or comment below.


Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Recent Security Posts


Twitter Feed