Petya Variant Ransomware: How to Detect the Vulnerability and Exploits
Another ransomware variant based on Petya and known as GoldenEye has landed today initially hitting hard in Ukraine and other European countries, but we’re seeing a surge in the states as well. A variant of the Petya malware is spreading rapidly and is known to have affected organizations worldwide, regardless of size. This variant of Petya follows a similar attack method to last month’s WannaCry ransomware, though it uses the PsExec and WMI services for distribution. Once compromised, the ransomware will overwrite the Master Boot Record (MBR), encrypt individual files that match a list of file extensions (including documents, archives, and more), and after a reboot of the system will present the user a message requesting a ransom in Bitcoin to decrypt the system.
Like WannaCry, this ransomware targets Windows and leverages the Microsoft OS vulnerability that was recently patched (MS17-010). Many organizations still have not fully deployed this update and have a population of vulnerable computers. If not fully deployed, you definitely want to get MS17-010 in the patch cycle for your Windows boxes ASAP. Typical delivery methods for this are malware. As with WannaCry, once a computer inside your organization is infected, the malware can spread to other computers with no user interaction (and it does so very quickly) by remotely exploiting the ExternalBlue vulnerability that was patched by Microsoft with MS17-010. Signatures are being created, but as is always the case, new variants will be released.
SLAIT Consulting’s ThreatManage customers were automatically protected from Petya attacks with protections created, delivered and enforced across multiple elements of our managed security offering. Contact us today to speak with a security expert about our threat intelligence for early detection of threats like this variant of Petya as well as how built-in response orchestration capabilities can stop the threat from spreading.