Pharos software is not susceptible to Petya/NotPetya

Version 4

    Many of our partners and customers are understandably concerned with the stability and reliability of their infrastructure given the recent ransomware attacks. Pharos software is not susceptible to Petya, but we believe it's important to provide some clarifying details.

     

    Background

    Recently, a new and serious ransomware began rapidly spreading around the globe. It has various names, including Petya and NotPetya, and it has struck many companies and individuals.

     

    Petya was first released in 2016 and used email and a software package for distribution. Another more dangerous and widely distributed variant appeared in 2017, and that is the version this document is specifically addressing. In many resources online, Petya 2017 is referred to as NotPetya, to reduce confusion with the 2016 variant.

     

    NotPetya relies on a set of vulnerabilities referred to as "EternalBlue" - which are part of the disclosed NSA suite of exploits. The specific SMB flaws used by NotPetya (and EternalBlue) are:

         CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148

     

    Patches to all these flaws have been released by Microsoft.

     

    NotPetya encrypts files on the computer and offers to unlock them if a ransom is paid via Bitcoin. However, due to problems with the email address used for payment, it is not possible to recover files even if the ransom is paid.

     

    Pharos Cloud Services

    Pharos cloud services use Windows and Linux servers within Amazon Web Services (AWS). However, these services are behind firewalls and not exposed to any external connection. Also, the Windows servers have had the relevant patches applied. Lastly, the Pharos operations team strictly limit access to live cloud services, and do not permit any susceptible applications to be run on any machine with access to cloud operations. We believe that our cloud services are fully protected from NotPetya.

     

    Pharos On-Premises Products

    Pharos develops several on-premises print management products, including Uniprint, Blueprint, MobilePrint, iMFPs, and Sentry. None of these products are natively susceptible to NotPetya. However, they all run on Windows servers so it's important to ensure your servers are protected.

     

    Because these products do not natively rely on SMBv1, they can be disabled without impacting any Pharos service (see below for instructions). Some print devices may use SMBv1 to provide services such as "Scan to folder" so you may need to check specific device models if you rely on these services.

     

    Pharos Internal IT Infrastructure

    Internally, all Pharos desktops and servers have auto-updates turned on and virus scanners installed. The rare instances where this is not possible are carefully controlled.

     

    Recommendations

    Pharos recommends:

    • All customers ensure that the SMB patches are applied on all Windows servers. If that is not possible immediately, then disabling SMBv1 may be a suitable temporary workaround.
    • All customers should have automatic updates enabled where possible, or a process for regular manual updates established.

     

    As always, the Pharos security team is happy to answer any questions you may have.

     

    Regards,

    Pharos Security Team

    Pharos Systems International

    585-939-7000

    pharossecurityteam@pharos.com