“Petya” Ransomware: What we know now
Created: 2017-06-27 11:15:00
LAST UPDATED 3:10 p.m. PDT:
A massive new ransomware attack that started in Ukraine is spreading across Europe and the United States, according to Reuters and multiple other sources. Prominent companies that have been affected are the Danish shipping company Maersk and the British advertising company WPP.
The ransomware appears to be related to the Petya family, which is currently detected by ESET as Win32/Diskcoder.C Trojan.
ESET users can find instructions to ensure the highest level of protection against this threat here. In addition, here is an advisory for ESET customers about the new malware. ESET protects against this threat, provided you have a default install of any modern ESET product. Additionally, any ESET product with network detection protects against the SMB spreading mechanism, EternalBlue, proactively.
The scale of the attack is being compared to the recent WannaCry outbreak. ESET protects both businesses and home users against WannaCry.
ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: http://www.me-doc.com.ua/vnimaniyu-polzovateley.
How does Petya work?
The Petya malware attacks a computer’s MBR (master boot record), a key part of the startup system that contains information about the hard disk partitions and helps load the operating system. If the malware successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.
The new malware appears to be using a combination of the EternalBlue exploit used by WannaCryptor for getting inside the network, then spreading through PsExec for spreading within it.
To check if your Windows operating system is patched against it, use ESET's free EternalBlue Vulnerability Checker.
This powerful combination is likely the reason why the outbreak is spreading quickly, even after previous outbreaks have generated headlines and most vulnerabilities should have been patched. It only takes one unpatched computer to get inside the network. From there, the malware can take over administrator rights and spread to other computers.
Petya and crypto-ransomware
In Ukraine, the financial sector, energy sector and numerous other industries have been hit. The scope of the damage caused to the energy sector is not yet confirmed, and there has been no reports of a power outage, as was the case previously with the infamous Industroyer malware that was discovered by ESET.
An image that reportedly shows the ransomware message is making the rounds online, including one from Group-IB with the following message (which we’ve paraphrased):
“If you see this text, then your files are no longer accessible, because they have been encrypted … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment [$300 bitcoins] and purchase the decryption key.”
How to protect yourself
- Use reliable antimalware software: This is a basic but critical component. Just because it’s a server, and it has a firewall, does not mean it does not need antimalware. It does! Always install a reputable antimalware program and keep it updated.
- Make sure that you have all current Windows updates and patches installed
- Run ESET’s EternalBlue Vulnerability Checker to see whether your Windows machines are patched against EternalBlue exploit, and patch if necessary.
- For ESET Home Users: Perform a Product Update.
- For ESET Business Users: Send an Update Task to all Client Workstations or update Endpoint Security or Endpoint Antivirus on your client workstations.
- For more on Petya and crypto-ransomware, see this article from 2016 from ESET’s WeLiveSecurity.com blog.
ESET detections of Petya ransomware attempted attacks (Updated June 28, 9:00 a.m. PDT)
About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.
ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.
The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit https://eset.version-2.sg/ or follow us on Facebook.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For more information, please visit www.version-2.com.sg or call (65) 6296-4268.