But wait... there's more than one way it's spreading:Researchers have also indicated the attack may be spreading via the EternalRomance exploit (targeting Windows XP to 2008 systems over TCP port 445) and within internal networks by abusing WMI and legitimate command line utility PsExec, meaning even patched machines can be at risk.
Petya is different from other ransomware: The ransomware being deployed in this outbreak is a variant of Petya, a strain that attempts to encrypt the hard drive's Master File Table (MFT). As a result, it not only locks victims out of their files, but out of their entire system.
The email account for accepting ransom payments was shut down: There is currently no way to unlock encrypted systems or recover encrypted files, not even for victims considering paying the attacker. That's because the email provider that was hosting the inbox the attacker was using to field decryption requests shut down the account. As a result, paying will not get victims their data back.
Possible temporary fix found: According to researchers, blocking C:\Windows\perfc.dat from writing/executing may stop Petya.
Patching and other precautions still advised:If you haven't already, apply critical Microsoft updateMS17-010, which renders the exploit ineffective. Microsoft has also releasedan update for older operating systemsthat are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. Limiting and securing the use of PsExec is also advised, as is restricting user permissions to limit the extent of infections and the damage they can do.
A second global ransomware outbreak is making headlines, just over a month after WannaCry infected an estimated 300,000 devices in more than 150 countries worldwide. Speculation and conflicting reports have been rampant. Here's what we know to be confirmed so far.
Ukraine hit hardest, attack spreading fast
Countries hit by the Petya ransomware outbreak. Source:Kasperksy
While early victims of the attacks included Ukraine's central bank, state telecom, municipal metro, utility providers, and Kiev's Boryspil Airport, infections have been reported in countries across Europe, as well as in India and the US.
It doesn't just encrypt files, it encrypts hard drives.
While there have been conflicting reports around whether or not the ransomware involved in the attacks is Petya or #NotPetya, the fact is it does share similarities with that family.
Petya originally gained attention in summer 2016. It stood out from other ransomware variants because rather than simply encrypting victim files, it encrypts the hard drive's Master File Table (MFT). As a result, it not only locks victims out of their files, but out of their entire system.
According to researchers at Kaspersky, this ransomware takes a similar approach. Once a machine is infected, it waits 10-60 minutes then reboots the system, encrypts the MFT, and overwrites the Master Boot Record (MBR) with a customized loader with a ransom note.
The ransom note reads:
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service.
We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
1. Send $300 worth of Bitcoin to following address: XXXXXXX
2. Send your Bitcoin wallet ID and personal installation key to e-mail email@example.com. Your personal installation key: XXXXXXX
If you already purchased your key, please enter it below. Key: __
No way to connect with attacker for the decryption keys
The criminals behind the account are demanding $300 in Bitcoin in exchange for the decryption key. Unfortunately, even if victims did want to pay, there is now no longer any way to communicate with the attackers. That's because Posteo, the email provider hosting the attacker's inbox, has shut down the account.
Once on a compromised machine, this variant of Petya scans the network and attempts to spread over open TCP ports 445 and 139. If found, machines with these open ports are attacked with the ETERNALROMANCE exploit.
It also attempts to spread via PsExec or WMI, which allow the attack to execute the ransomware on any remote machines on the network it can get credentials for.
Note: All it takes is one infected device on your network running with domain or admin credentials for the ransomware to spread throughout your network (even if machines are patched).
As outlined in our breakdown of Sorebrect ransomware, attackers can easily extract credentials from the lsaas.exe process using tools like Mimikatz.
Find out if your endpoints are vulnerable to credential theft with our free simulation tool: stackhackr
It simulates credential extraction via the lsaas.exe process.
How to protect your company from this new Petya ransomware outbreak
Make sure your endpoint security provides exploit protection. Barkly blocks exploits like ETERNALBLUE that make attacks like these possible. Find out how.
If you haven't already, apply critical Microsoft updateMS17-010 as soon as possible. If immediate patching isn't possible, here are two recommended stop-gaps that may be able to help reduce your risk: