Doc ID                : ADV279
Version              : 2.0
Status                : Published
Published date : 6/30/2017
Categories  : Triconex
Foxboro Evo
Security Issue
SCADA
I/A Series
Last Modified date : 6/30/2017

Customer Advisory
Petya Ransomware CyberSecurity Alert
June 29, 2017


Schneider Electric is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.   

Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Schneider Electric recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.

 Systems Affected:  Microsoft Windows operating systems

SITUATION

Starting June 27, 2017, a new variant of the Petya ransomware, also known as Petrwrap, NotPetya and exPetr, spread internationally to several businesses. Ukraine, Russia and Western Europe were among those that needed to go offline. More than 2,000 attacks took place with the help of the Windows SMBv1 vulnerability that the WannaCry ransomeware attacks utilized.

In March 2017, Microsoft® published a security update which addresses the vulnerability that these attacks are exploiting (Microsoft Security Bulletin MS17-010). In addition, Microsoft has taken the extraordinary step to send out a patch for Windows XP, Windows 8, and Windows Server 2003 versions of software. These patches have been made available on the Global Customer Support for Foxboro and Triconex website Schneider Electric approved Microsoft® Security Patches.

Schneider Electric Process Automation has tested these patches for standard supported and older operating systems. All tests have passed. No product issues have been identified or reported with the MS17-010 update during our test lab qualifications.

SYMPTOMS

Unlike WannaCry, Petya does not encrypt files one by one on a targeted machine or system. Instead, Petya reboots the victim's machine and encrypts the hard drive's master file table (MFT). The master boot record (MBR) is rendered inoperable, therefore restricting access to the full system by seizing information on file names, sizes, and location on the physical disk. Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot. Researchers at Symantec say they have confirmed the ransomware is using the Eternal Blue exploit. The malwares capabilities include the following: network surveying, password extraction, and file encryption.

ACTIONS OR RESOLUTIONS

Schneider Electric recommends that customers with supported systems check with their designated support portals first before executing the following to prevent this attack:

FOR INFORMATION

If you have any questions regarding this article, please contact your local Service Representative or a Schneider Electric Support Center at:  
 
GCS Center America's GCS Asia Pacific GCS EMEA GCS
Location Foxboro MA USA Shanghai Baarn NL
Phone +1-866-746-6477 +86 21 37180086  +31-3554-84125
Internationally +1-508-549-2424    
Fax +1-508-549-4999 +86 21 37180196 +31-3554-84230
Email America's GCS Asia Pacific GCS EMEA GCS

Regards,

John Petty
Director,
Global Customer Support



Distribution to Schneider Electric Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.


Advisory #: 2017016abi

©Schneider Electric. All rights reserved