The first infections were reported in Ukraine, where more than 12,500 machines encountered the threat, according to Microsoft. The software company then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the U.S.
“The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of Ransom:Win32/Petya,” a report from Windows Security said. “This new strain of ransomware, however, is more sophisticated.”
Petya and the Microsoft patch
WannaCry affected more than 230,000 computers in over 150 countries. Much like WannaCry, Petya is spreading through networks which use Microsoft Windows.
The new ransomware uses an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 also called EternalBlue, in Microsoft Windows in order to spread across organizations once it has infected a computer.
Microsoft has installed a patch for this vulnerability. The cloud-delivered updates were automatically delivered to all Microsoft free antimalware products, including Windows Defender Antivirus and Microsoft Security Essentials.
Petya takes over computers and encrypts documents and files contained in the machine. The ransomware then demands $300 in Bitcoin in exchange for decrypting the files.
Download the latest version of these files manually at the Malware Protection Center.
Windows Defender Advanced Threat Protection (Windows Defender ATP) also automatically detects behaviors used by Petya.
“It’s alarming that we’re seeing another large-scale, global ransomware attack on the heels of the recent WannaCry incident,” said Varun Badhwar, CEO and co-founder of security company RedLock. “Every company and consumer connected to the internet needs to immediately install the patch that Microsoft released back in March to fix the EternalBlue vulnerability that the new Petya ransomware attack is leveraging.”
For companies that fail to implement the latest security patches and updates, vulnerabilities like EternalBlue are “ticking time bombs,” Badhwar said.
Tracing Petya’s journey
Initial Petya infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, according to Microsoft. This Ukrainian company develops tax accounting software.
“Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process,” Microsoft said.
The malware then spread through large companies including British advertising firm WPP Plc., Danish shipping and transport company Maersk, U.S. pharmaceutical company Merck, and the American multinational food company Mondelez.
Not all about money
Other security analysts believe the new ransomware was primarily designed to spread mayhem.
“The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out businesses from shipping ports and supermarkets to ad agencies and law firms,” The Register reported. “Once inside a corporate network, this well-oiled destructive program worms its way from computer to computer, encrypting the infected machines’ filesystems.”
While the real Petya was created by cybercriminals to collect money, NotPetya was made to “spread fast and cause damage, with a plausibly deniable cover of ransomware,” the Register, quoted a security analyst as saying.
For more on NotPetya, click here.
How to protect yourself against Petya
Microsoft recommends that Windows users install the security update MS17-010 as soon as possible.
Until the patch can be applied, the company also recommends two possible workarounds to reduce the attack surface:
- Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously
- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
As the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network, according to Microsoft.
You can also disable remote WMI and file sharing. “These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and apply definition updates.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…