What’s Happening With Petya?
Peyta is the second piece of Ransomware that has started spreading quickly worldwide in less than two months. It appears to still be using some of the stolen NSA technology that was used in WannaCry just last month, but does not appear to have a kill-switch.
It is only able to attack Windows systems, although there are some companies that have not only shut down all of their Windows machines, but have also shut down their iPads. This appears to have been done out of an abundance of caution.
Petya has two components: The main malware infects a computer’s master boot record, and then attempts to encrypt its master file table. If it can’t detect the MFT, though, it turns operations over to its other component, a ransomware that Petya incorporates called Mischa, and simply encrypts all the files on the computer’s hard drive the way most ransomware does.
In either case, once infected a computer displays a black screen with red text that reads, “If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.” Then the ransomware asks for $300 in bitcoin—the same amount WannaCry demanded. (More: Wired.com)
This massive, global ransomware outbreak has been hitting airports, banks, shipping firms and other businesses across Ukraine, Russia, the United Kingdom, Denmark, India and beyond.
Organizations ranging from Ukraine’s central bank and Kiev’s Boryspil Airport to Russian oil producer Rosneft and Danish shipping giant Maersk all appear to have had systems compromised by the attack.
The global pharmaceutical giant Merck confirmed it was hit by hackers, but the New Jersey-based company did not say whether the attack struck its computers in the United States or elsewhere.
The ransomware apparently also has “a fake Microsoft digital signature appended.” (More: Bank Info Security)
What to do:
Make sure all of your systems are fully patched and up-to-date. If they are not up-to-date, you should seriously consider shutting off your Internet connection, not opening email and even shutting off your computers.
If you installed both the March 2017 and April 2017 security-patch bundles have some degree of protection against today’s ransomware worm. April and May’s patch bundles will be installed along with June’s.
What it is:
Note: This blog post discusses active research regarding a new security threat. It is preliminary information.
In May this year (2017), the WannaCry ransomware attack took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet worldwide. It’s now thought that the vulnerability was created and spread by North Korea.
Today a new malware variant has surfaced. Current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement inside an affected network. This behavior is unlike WannaCry, as there does not appear to be an external scanning component. Additionally, there may also be a psexec vector that is also used to spread internally.
The identification of the initial vector has proven more challenging. Early reports of an email vector can not be confirmed. Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections are associated with software update systems for a Ukrainian tax accounting package called MeDoc. This source appears to have been confirmed by MeDoc. Our security team continues to research the initial vector of this malware. (More: Talos)