Petya ransomware prevention & detection in Azure Security Center

28 Haziran, 2017 tarihinde gönderildi

Principal Security Engineering Manager, Microsoft Threat Intelligence Center

Microsoft Malware Protection Center (MMPC) published a blog post yesterday detailing a new ransomware infection that appears to have begun in Ukraine and spread from there to other places in Europe and beyond. MMPC analysis showed this to be a more sophisticated variant of Ransom:Win32/Petya and all free Microsoft antimalware products were updated with signatures for this threat, including Windows Defender Antivirus.

This post summarizes measures that Azure customers can take to prevent and detect this threat through Azure Security Center. See here for basic information on enabling Azure Security Center.

Prevention

Azure Security Center scans virtual machines across an Azure subscription and makes a recommendation to deploy endpoint protection where an existing solution is not detected. This recommendation can be accessed via the Prevention section as shown below.

Security Center - Overview

Drilling into the Compute pane (or the overview recommendations pane) shows more detail, including the Endpoint Protection installation recommendation being discussed here:

Compute

Clicking on this leads to a dialog allowing selection of and installation of an endpoint protection solutions, including Microsoft’s own antimalware solution:

Install Endpoint Protection

Select Endpoint Protection

These recommendations and associated mitigation steps are available to Azure Security Center Free tier customers.

Detection

Azure Security Center customers who have opted into Standard-Tier can benefit from a new detection recently added to alert on specific indicators related to Petya ransomware running on an infected host - this is described in further detail below.

These alerts are accessed via the Detection pane highlighted below, and require the Azure Security Center Standard tier.

Security Center

An alert for Petya ransomware will show up as shown below:

Detected Petya

Drilling in provides more detail of the impacted VM and suspicious process or commandline that triggered the alert:

Detected Petya ransomware indicators

Note that although the detection alert relates to a specific host, because this ransomware attempts to propagate to other nearby machines, it is important to apply remediation steps to all on all hosts on the network, not just the host identified in the alert.

Please follow the remediation steps indicated in the Alert or in the Microsoft Malware Protection Center (MMPC) blog.