Petya-based ransomware using EternalBlue to infect computers around the world
There are more reports of a massive cyber attack hitting a number of companies in Ukraine, including banks, transportation services, energy companies, and even the government. Avast says this is another example of the Petya-based ransomware, which was first identified in 2016. Petya ransomware was spotted patched and bundled as a different malware strain called PetrWarp just a few months ago. The attack seems to be spreading with incidents being reported in Russia, India, France, Spain and also the Netherlands. The writers behind the attack are demanding a $300 ransom to be paid in Bitcoin.
As the outbreak was being analyzed, an infection vector tied to an updater for Ukrainian accounting software was found called MEDoc.
Once this modification of Petya infects the network, it spreads using two different methods. One method is by using two SMB vulnerabilities, EternalBlue and EternalRomance. Another is by spreading via Windows network shares by using the victim’s stolen credentials. This is done from a vundled Mimikatz-like tool which extracts passwords. Microsoft released a patch for both of these in March.
There has been over 12,000 attack attempts as of 6-27-2017. Data from Avast shows 38 million PCs that were scanned last week have not patched their systems and are still vulnerable. The actual number of vulnerable PCs is probably much higher then that. Windows 7 showed to be the operating system that was effected the most.
Customers that are using the latest versions of Avast are protected against Petya-based ransomware. If Petya somehow made it into your system, Avast will detect it, quarantine it and destroy it. If it detects Petya trying to enter your computer it will block it from getting in. Updates will be provided regularly to protect against possible future variants. If you are concerned, make sure your antivirus software is up to date. Finally make sure that if your a Windows user, you update their systems and applications with any available patches as soon as possible.