How the Petya Ransomware Exploits CVE-2017-0199 and MS17-010 – Prevention Tips

According to foreign media reports, a new ransomware dubbed “Petya” has swept across Europe, affecting more than 80 companies in Russia and Ukraine; victims are demanded to pay $300 in Bitcoin to unlock their systems.

Remediation Steps

Promptly install the latest Windows system patches.

For users unable to apply online fixes, download and install the patches from the Microsoft Security Guidance advisory (CVE‑2017‑0199) and the MS17‑010 bulletin: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Use passwords that meet complexity requirements on hosts.

Back up critical data; for cloud servers, continuous data protection can be achieved with services such as UCloud Data Ark or snapshot functionality.

Vulnerability Details

Petya employs the CVE‑2017‑0199 RTF vulnerability for phishing attacks and the MS17‑010 SMB vulnerability for lateral movement within networks.

Unlike traditional ransomware, Petya does not encrypt individual files; instead, it encrypts the Master File Table (MFT) of the disk, rendering the Master Boot Record (MBR) inoperable and preventing the system from booting by occupying physical disk metadata.