June 28, 2017
Calli Schlientz
Edge Hosting

Posted in:


Petya/NotPetya Ransomware Update


Edge Hosting continues to protect customers from the latest global ransomware attack, Petya (also known as NotPetya), through a multi-layered security model. All Edge Customers are protected by signatures applied to our Intrusion Prevention System. Customers running Windows Server 2008, 2012 and 2016 are further protected by updated signatures on the Sophos anti-virus product and Windows server patching. Those customers that have opted out of patching should patch their systems immediately! If you need help, we are here to help 24/7. Please open a ticket with our Network Operations Center (NOC) support team, and we’ll coordinate an effort to patch servers hosted at Edge. Also, please patch your workstations in your offices, as this ransomware can traverse VPN connections to impact servers from your workstations.


Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine until a ransom is paid to unlock it. Using unpatched and unsupported software may increase the risk of proliferation of cyber security threats, such as ransomware.


According to U.S. CERT, this ransomware variant encrypts the master boot record of infected Windows computers, making affected machines unusable. The initial attacks began in the Ukraine and Russia and have since spread across Europe and the United States since Tuesday (June 27, 2017). The attackers are gaining access through vulnerabilities in Server Message Block (SMB). The infected machine will crash/reboot and the malware begins encrypting the data during the reboot process. Similar to the WannaCry Ransomware in May, the malware is progressing laterally to other servers and workstations through shared drives by exploitation of the SMB vulnerability.

At this time, the service provider of the email address used by the malware authors for ransom payment has blocked access to the email account, preventing payment of the requested ransom.


U.S. CERT states that attackers are gaining access to enterprise servers through phishing emails and then progressing laterally to other servers and workstations through shared drives by exploitation of a critical Windows SMB vulnerability. Microsoft released a patch in mid-march (MS-17-010) that has successfully prevented attacks and the spreading of this ransomware.


The Edge Hosting team has been diligent in the defense against this attack. Windows Server 2008, 2012 and 2016 systems have been patched, anti-virus software is updated on a frequent basis (approximately every two hours), and our Intrusion Prevention System (IPS) has signatures and other controls in place to defend systems.

As always, we are working 24/7 to stay ahead of the attack to ensure the confidentiality, integrity, and availability of your most critical assets. We are actively reviewing information from the U.S. Computer Emergency Response Team (CERT), and we have SMB, Microsoft’s protocol for file sharing on the network, blocked at the perimeter of our network so that VPN is the only viable way for SMB traffic to your VLAN. We have actively applied the following filters to our IPS that help you protect against the exploits:

• SMB: Server MID Type Confusion Vulnerability
• SMB: Remote Code Execution Vulnerability (EternalBlue)
• SMB: Server SMBv1 Buffer Overflow Vulnerability
• SMB: Remote Code Execution Vulnerabilities (EternalChampion)
• SMB: Remote Code Execution Vulnerability (EternalBlue)
• SMB: NT_TRANSACT_RENAME Information Disclosure Vulnerability (EternalSynergy)
• SMB: Null Session SetUp
• SMB: Suspicious SMB Fragmentation
• SMB: DoublePulsar Backdoor
• SMB: Malicious SMB Probe/Attack
• TLS: Suspicious SSL Certificate (DGA)


There are actions that you can take to prevent Ransomware from getting on your system. Ransomware frequently initially infects systems through web browsing or phishing email. If possible, Web browsing should not be conducted from a server. Once infected, other systems can be infected through file shares (mapped drives) as well. If mapped drives are not necessary on your servers, you should terminate those connections. Similarly, VPN connections should only come from trusted and known systems (for example, do not manage your server from a home system not controlled by enterprise anti-virus and similar protections).


Edge remains vigilant. If you need help, the Edge support team is here to help 24/7. Again, please open a ticket with our NOC support team, and we’ll coordinate a patch for your organization.

Go back