On 27th June 2017, multiple organisations – many in Europe – reported significant disruptions they are attributing to Petya ransomware.
According to reports, this variant of the Petya ransomware may be spreading via the EternalBlue exploit used in the WannaCry attack from last month.
Cybersecurity firm, FireEye, is continuing to investigate the reports of the threat activity involved in these disruptive incidents.
Based on the company’s initial analysis the ransomware used in this campaign mimics Petya in some ways and the MBR reboot page is identical. However, there are some notable changes to include the propagation mechanism and an hour delay to encrypting files, which may be intended to allow propagation to occur.
“We believe that one infection vector used in this campaign was the M.E.Doc software, which is reportedly used for tax accounting purposes in Ukraine,” said FireEye in a statement.
“Additionally, payloads associated with the campaign exhibit self-propagation behavior. Further, it is possible that other initial infection vectors are also involve,” it said. “This activity highlights the importance of organisations securing their systems against the EternalBlue exploit and ransomware infections. We have detected these attacks on organizations located in the following countries: Australia, United States, Poland, Netherlands, Norway, Russia, Ukraine, India, Denmark and Spain.”
FireEye then noted that the incident highlights the importance of organisations securing their systems against the EternalBlue exploit and ransomware infections.
John Miller, senior manager, Analysis, FireEye, said, “Petya belongs to the ransomware family that is atypical in that the malware does not encrypt individual files on victims’ systems, but instead overwrites the master boot record (MBR) and encrypts the master file table (MFT), which renders the system inoperable until the ransom has been paid. The malware contains a dropper, custom boot loader, and a small Windows kernel that executes additional encryption routines.”
It said that Microsoft has provided a guide for securing Windows systems against the EternalBlue exploit in the context of the WannaCry ransomware. A robust back-up strategy, network segmentation and air gapping where appropriate, and other defenses against ransomware can help organisations defend against ransomware distribution operations and quickly remediate infections.