Sophos is aware of a new ransomware variant being seen in multiple countries today. Our investigation shows that this attack both encrypts files and the Master Boot Record (MBR) and can spread rapidly using several techniques, including the “Eternal Blue” exploit of a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin. It can also spread by using a variant of the Microsoft Ps Exec tool in combination with admin credentials from the target computer.
What is Petya Ransomware?
A new variant of the Petya ransomware (also called Petr Wrap or Golden Eye) is behind a massive outbreak that spread across Europe, Russia, Ukraine, and elsewhere. It also includes the Eternal Blue exploit to propagate inside a targeted network.
Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and over-writes the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
As with the recent WannaCry Ransomware attack, organizations around the world have again been affected by a new ransomware variant known as the Petya cyber-attack. We wanted to contact you to offer our advice and support.
Customers using Sophos Endpoint Protection are protected against all known variants of this ransomware. We first issued protection on June 27th at 13:50 UTC and have provided several updates since then to provide further protection against possible future variants. In addition, customers using Sophos Intercept X were proactively protected with no data encrypted from the moment this new ransomware variant appeared.
Petya ransomware attack has hit organizations worldwide. Europe has been hit the hardest, and especially Ukraine. Government, banks, utilities, critical infrastructure and businesses have been affected. The malware, which is still spreading, is believed to be a variant of Petya. These attacks can be prevented, yet they are spiking in frequency and reach. Protection from ransomware requires cyber security solutions that focus on prevention—not detection.