* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/)
* Palo Alto Networks Protec...

# Palo Alto Networks Protections for Petya Ransomware

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2017%2F06%2Fpalo-alto-networks-protections-petya-ransomware%2F)  
[](https://twitter.com/share?text=Palo+Alto+Networks+Protections+for+Petya+Ransomware&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2017%2F06%2Fpalo-alto-networks-protections-petya-ransomware%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2017%2F06%2Fpalo-alto-networks-protections-petya-ransomware%2F&title=Palo+Alto+Networks+Protections+for+Petya+Ransomware&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2017/06/palo-alto-networks-protections-petya-ransomware/&ts=markdown)  
\[\](mailto:?subject=Palo Alto Networks Protections for Petya Ransomware)  
Link copied  
By [Scott Simkin](https://www.paloaltonetworks.com/blog/author/scott-simkin/?ts=markdown "Posts by Scott Simkin")  
Jun 27, 2017  
3 minutes  
[Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)  
[petya](https://www.paloaltonetworks.com/blog/tag/petya/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/2017/06/palo-alto-networks-protections-petya-ransomware/?lang=ja "Switch to Japanese(日本語)")

### What happened:

On June 27, 2017, the Petya ransomware began impacting multiple organizations, including government and critical infrastructure operators. The attack spreads using multiple lateral movement techniques, with similarities to the May 2017 WanaCrypt0r/WannaCry attacks, including one method using the [ETERNALBLUE](https://en.wikipedia.org/wiki/EternalBlue) exploit tool to traverse the network via Microsoft Windows SMB protocol. Palo Alto Networks customers were automatically protected from Petya attacks with protections created, delivered and enforced across multiple elements of our Next-Generation Security Platform. You can further watch an on-demand webcast covering threat context and preventions for Petya [here](https://www.paloaltonetworks.com/campaigns/brighttalk.html?commid=268179&ts=markdown).

### How the attack works:

While the initial infection vector is unclear, Petya attempts to spread to other hosts using multiple lateral movement techniques, including exploiting an SMB vulnerability (CVE-2017-0144) on Microsoft Windows systems reportedly using the ETERNALBLUE exploit tool. This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017, and was addressed by Microsoft in March 2017 with [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx). Once a successful infection has occurred, the malware encrypts users' systems and prompts demand of a $300 payment to return access. For detailed analysis on the Petya attack playbook, please see our [blog from the Unit 42 threat research team](https://www.paloaltonetworks.com/blog/2017/06/unit42-threat-brief-petya-ransomware/?ts=markdown).

### Preventions:

Palo Alto Networks customers are protected through our Next-Generation Security Platform, which employs a breach prevention-based approach that automatically stops threats across the attack lifecycle. Palo Alto Networks customers are protected from Petya ransomware through multiple complementary prevention controls across the platform, including:

* **WildFire**classifies all known samples as malware, automatically blocking malicious content from being delivered to users.
* **AutoFocus** tracks the attack for threat analytics and hunting via the [Petya tag](https://autofocus.paloaltonetworks.com/#/tag/Unit42.Petya).
* **Threat Prevention**
  * Enforces IPS signatures (content release: 688-2964) for the SMB vulnerability exploit ([CVE-2017-0144](https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144)-- MS17-010) likely used in this attack.
  * Blocks the malicious payload via "Virus/Win32.WGeneric.mkldr" and "Virus/Win32.WGeneric.mkknd" signatures.
* **GlobalProtect**extends WildFire and Threat Prevention protections to ensure consistent coverage for remote locations and users.
* **Traps** prevents initial infection associated with the MEDoc software update using the child process protection and DLL-hijacking rules (content updates available [here](https://support.paloaltonetworks.com/Updates/DynamicUpdates/245), account required). Propagation of the malware related to usage of Mimikatz can be prevented via local analysis and WildFire cloud query.
* **App-ID** should be employed to control usage of SMB and WMI traffic throughout the network, only enabling it where necessary, including disabling older versions of protocols that pose higher risk (e.g. SMBv1).
* **Multi-Factor Authentication (MFA)** can stop the usage of valid credentials, which were potentially leveraged to infect additional systems across the network.
* **Segmentation** to observe and block malicious traffic between user-defined zones, preventing the lateral spread of Petya. You can further apply a Zero-Trust architecture to your network, driving microsegmentation within zones.

**NOTE**: We are continuously monitoring the Petya situation and will update this post with additional details on protections as they arise.

For best practices on preventing ransomware with the Palo Alto Networks Next-Generation Security Platform, please refer to our [Knowledge Base article](https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-Prevention/ta-p/74148). We strongly recommend that all Windows users ensure they have the latest patches made available by Microsoft installed, including versions of software that have reached end-of-life support. For the latest on the Petya attack playbook, please see the [Unit 42 post](https://www.paloaltonetworks.com/blog/2017/06/unit42-threat-brief-petya-ransomware/?ts=markdown). Join our on-demand webcast covering the threat context and preventions for Petya [here](https://www.paloaltonetworks.com/campaigns/brighttalk.html?commid=268179&ts=markdown).

**Version summary:**

June 27, 2017 -- 8:00 PM PT

* Added details on protection offered by App-ID

June 28, 2017 - 1:15 PM PT

* Added details on MFA and segmentation

July 6, 2017 - 5:15 PM PT

* Added details on Traps

*** ** * ** ***

## Related Blogs

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### UPDATED: Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks](https://www.paloaltonetworks.com/blog/2018/01/palo-alto-networks-protections-wanacrypt0r-attacks/)

### [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Palo Alto Networks Protections Against Bad Rabbit Ransomware Attacks](https://www.paloaltonetworks.com/blog/2017/10/palo-alto-networks-protections-bad-rabbit-ransomware-attacks/)

### [Threat Brief](https://www.paloaltonetworks.com/blog/category/threat-brief/?ts=markdown)

[#### Threat Brief: Understanding Kernel APC Attacks](https://www.paloaltonetworks.com/blog/2017/10/threat-brief-understanding-kernel-apc-attacks/)

### [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Ransomware: Common Attack Methods](https://www.paloaltonetworks.com/blog/2016/11/ransomware-common-attack-methods/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### The Cybersecurity Download: Ransomware](https://www.paloaltonetworks.com/blog/2016/10/the-cybersecurity-download-ransomware/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/category/research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### From Ransom to Revenue Loss](https://www.paloaltonetworks.com/blog/2025/10/from-ransom-to-revenue-loss/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language