Petya ransomware infection that originated in Ukraine affected a great deal of Windows machines worldwide and highlighted the sophisticated malware behavior in 64 countries. This article outlines basic measures that Azure users can take to detect and prevent this threat via Azure Security Center.
Prevention of the malware
Azure Security Center helps to prevent Petya ransomware in that it scans virtual machines and recommends to deploy endpoint protection where it is not yet available. This recommendation can be accessed in the prevention section as displayed in the following screenshot:
Users can get more details on the Endpoint Protection and installation recommendations by drilling into the Compute pane:
Clicking on this opens up a dialogue with the choice of available protection solutions including Microsoft’s own antimalware protection solution:
Azure Security Center allows its customers who opted into Standard-Tier to detect problems in the system and add alerts. A new detection rule that generates an alert on Petya ransomware-specific indicators has been recently added. These alerts for an infected host are available in the Detection pane as shown below:
A sample alert is displayed below:
Selecting an alert will display further details of the infected VM along with the offending process that triggered it:
Due to the fact this ransomware attempts to propagate to all nearby machines, it is important to apply remediation to all the hosts on the network.
Further reading on the available remediation steps is available in the Microsoft Malware Protection Center (MMPC) blog.