Petya Outbreak – What we know so far
UPDATE 20:51 GMT-6
UPDATE 16:18 GMT-6
Please see Kaspersky Labs update following the data points below:
I’m sure many of you are aware of the Petya variant surge we’re facing today. Here’s what we know this far:
Original outbreak occurred in the Ukraine early this morning, impacting power companies, petrol stations, airlines, etc.
Since then, it has spread to systems throughout Europe and the U.S.
The code uses a variant of ExternalBlue along with Mimikatz running against LSASS.EXE for cred grabs, PSExec tools and WMIC to have a worm-like spread.
The email account associated with the bitcoin ransom demand ($300) has since been disabled so decryption keys are pretty much out of the question now.
As of 15:30 GMT-6 a total of 31 bitcoin payments have been made.
Unlike other ransomware, this not only encrypts an assortment of file extensions but upon forcing a system reboot, it will also encrypt the Windows MFR and display the ransom message.
There is no kill switch.
I will update this post as more details surface.
Including some code review screen scrapes from trusted analysts.
Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have temporarily named it NotPetya.
The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.
This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.
Kaspersky Lab detects the threat as UDS:DangerousObject.Multi.Generic.
Kaspersky Lab experts aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.
We advise all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.
Kaspersky Lab corporate customers are also advised to:
• Check that all protection is activated as recommended; and that they have enabled the KSN/System Watcher component.
• Use the AppLocker feature to disable the execution of any files that carry the name “perfc.dat”; as well as the
• PSExec utility from Sysinternals Suite.