Petya Ransomware Outbreak – June 27, 2017

Petya Ransomware Outbreak

In just a month after the WannaCry outbreak, we are seeing another widespread ransomware outbreak involving possible Petya ransomware family variant. The details on the initial delivery vector are sparse and as expected there is lot of speculation, just like WannaCry during the early hours, but we wanted to share a quick snippet of what we know so far about the Petya Ransomware Outbreak.  As we learn more, we will continue to update our blog.

  • Businesses from several countries including Ukraine, India, France, Russia, and Spain have been impacted by this ransomware outbreak
  • The malware family involved is being claimed as a variant of the Petya ransomware family; however from the analysis we have done till now, we are seeing very little resemblance between this code and previous Petya variants
  • This ransomware variant is highly virulent and once a user is infected, it spreads rapidly across a corporate network via SMB.
  • There are reports of the payload using the EternalBlue (MS17-010) exploit when it it not able to spread through a network using the credentials of the logged-in user.
  • The ransomware payload encrypts the Master Boot Record (MBR) of an infected system, making it unusable.
  • The ransomware payload is also using Windows Management Instrumentation Command-line (WMIC) interface for lateral movement over SMB. This explains why the attack has been successful more than a month after WannaCry outbreak that leveraged EternalBlue (MS17-010) exploit which should have been patched on most systems by now.

Take Protective Action

  • Apply Microsoft Windows security update MS17-010 and CVE-2017-0199
  • Block legacy protocols like SMBv1 on local network
  • Disable WMIC on local network
  • Block connection to ports 139 and 445 on your firewall

How Zscaler Can Help with Preventative Measures

Zscaler had generic signature coverage on one of the payloads involved and also added multiple signatures and indicators for blocking other known payloads related to this attack.

Advanced Threat Signatures:

  • Win32_ransomware_Petya_116628
  • CVE_2017_0199

In-line AV signatures:

  • W32/Petya.VUNZ-1981
  • W32/Ransom.Petya.J!Eldorado

Zscaler Cloud Sandbox provides the best line of defense in a proactive manner against these evolving ransomware strains.

Technical Analysis of the Payload

This section will be updated shortly



Related Posts

Leave a Reply

About Us

"AGT" offers complete end-to-end security protection through technology tools, cybersecurity strategy, consulting, and project management services. From addressing specific security gaps to a full environment cybersecurity strategy. With services designed to improve any organization’s overall organizational security posture, AGT develops strategies to implement and deploy successful cybersecurity solutions to protect companies from data and financial loss.