HITRUST has been following the events of this global Petya ransomware attack since it was first reported. HITRUST’s Cyber Lab, in partnership with Trend Micro Labs and in cooperation with DHS, law enforcement, and our members, are gathering information on the incident and have been providing guidance by regularly updating information in the HITRUST CTX on this evolving threat. Given the reported impacts to care delivery and the rate this has spread to other systems and other countries, we consider this a serious incident.
Since our first report:
- This ransomware is using NSA’s EternalBlue code
- This variant is using the same exploits as WannaCry, targeting SMB v.1 with the EternalBlue exploit and, as such, the mitigation measures that were implemented for WannaCry v2.0 should cover this attack surface.
- Organizations having implemented the HITRUST CSF controls (Control Reference “09.j Controls Against Malicious Code” and Control Reference “10.m Control of Technical Vulnerabilities”), specifically related to End Point protection and Patch Management, or an alternate compensating control would appropriately address the threat.
- HITRUST CTX Enhanced IOC participants can leverage their Deep Discovery Inspector Rule 2383: CVE-2017-0144 – Remote Code Execution – SMB (Request).
- There are multiple reports of healthcare organizations being affected.
- This ransomware worm variant does not seem to have a “KillSwitch” like WannaCry v2.0.
HITRUST will continue to track the incident and will update IOC feeds and update the HITRUST Threat Bulletin constantly as more information becomes available: HITRUST Threat Bulletin 14255.
Note: Please ensure your Threat Bulletin notifications are on in CTX.
About the HITRUST CTX
The HITRUST CTX demonstrates how the private sector can lead the way and address industry needs for better threat information sharing. Because it understands industry-specific needs, is a trusted partner, continuously evaluates and innovates, and leverages best-in-class resources (such as Trend Micro’s industry leading vulnerability reporting and anti-malware lab for research and analysis), The HITRUST CTX is able to collect, analyze and communicate efficiently and effectively with the healthcare industry including sharing cyber threat information and provide actionable guidance.