Sophos is aware of a new ransomware variant being seen in multiple countries today. Our investigation shows that this attack both encrypts files and the Master Boot Record (MBR) and can spread rapidly using several techniques, including the “Eternal Blue” exploit of a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin. It can also spread by using a variant of the Microsoft Ps Exec tool in combination with admin credentials from the target computer.
What is Petya Ransomware?
A new variant of the Petya ransomware (also called Petr Wrap or Golden Eye) is behind a massive outbreak that spread across Europe, Russia, Ukraine, and elsewhere. It also includes the Eternal Blue exploit to propagate inside a targeted network.
Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and over-writes the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
As with the recent WannaCry Ransomware attack, organizations around the world have again been affected by a new ransomware variant known as the Petya cyber-attack. We wanted to contact you to offer our advice and support.
Petya ransomware attack has hit organizations worldwide. Europe has been hit the hardest, and especially Ukraine. Government, banks, utilities, critical infrastructure and businesses have been affected. The malware, which is still spreading, is believed to be a variant of Petya. These attacks can be prevented, yet they are spiking in frequency and reach. Protection from ransomware requires cyber security solutions that focus on prevention—not detection.