petya-ransomware-attack

A new ransomware exploit dubbed “Petya” struck major companies and infrastructure sites this week, following last month’s WannaCry ransomware attack, which wreaked havoc on more than 300,000 computers across the globe. Petya is believed to be linked to the same set of hacking tools as WannaCry.

Petya already has taken thousands of computers hostage, impacting companies and installations ranging from Ukraine to the U.S. to India. It has impacted a Ukrainian international airport, and multinational shipping, legal and advertising firms. It has led to the shutdown of radiation monitoring systems at the Chernobyl nuclear facility.

Europol, the international law enforcement agency, could not provide operational details on the attack, spokesperson Tine Hollevoet told the E-Commerce Times, but it was trying to “get a full picture of the attack” from its industry and law enforcement partners.

Petya “is a demonstration of how cybercrime evolves at scale and, once again, a reminder to business of the importance of taking responsible cybersecurity measures,” Europol Executive Director Rob Wainwright said in a Wednesday update.

Unlike Wannacry, the Petya attack does not include any type of ‘kill switch,’ according to Europol.

Variant Characteristics

The U.S. Computer Emergency Readiness Team on Tuesday began fielding numerous reports about the Petya ransomware infecting computers around the world, and noted that this particular variant encrypts the master boot records of Windows computers and exploits vulnerabilities in the Server Message Block.

The RANSOM_PETYA.SMA variant uses as infection vectors both the EternalBlue exploit, which was used in the WannaCry attack, and the PsExec tool, which is a Microsoft utility used to run processes using remote access, according to Trend Micro.

Users should apply the MS17-010 security patch, disable TCP port 445, and restrict accounts with administrator group access, the firm recommended.

The Petya variant uses the rundll32.exe process to run itself, and encryption is carried…