Another vicious ransomware package, a variant of the Petya malware, has been reported as spreading aggressively since its release last night with infections in 64 countries being traced back to an origin point in Ukraine.
Following hot on the heels of the WannaCry malware released in May 2017 which infected critical systems across the globe, the new variant of the Petya ransomware - also known as GoldenEye - has been extremely successful in its targeting of the EternalBlue vulnerability disclosed following the leak of security information from the US National Security Agency: the same vulnerability, resolved in a patch issued in March by Microsoft, as featured in the WannaCry ransomware.
The revised Petya, which is being known as NotPetya or PetrWrap to differentiate it from the original release, uses this vulnerability to spread worm-like from system to system. In addition, the malware spreads by breaking account credentials and using the PsExec remote execution tool to directly attack networked systems. When infection is successful, as with all ransomware tools, the software then begins encrypting users' files before popping up a demand for $300 paid in the Bitcoin cryptocurrency (around £234).
As with WannaCry, PetrWrap is proving extremely successful: Since the first updated variant was released late last night, the malware has spread to 12,500 Ukrainian systems then broke the international barrier to infect a further 64 countries. The key to the virulence of PetrWrap, Microsoft has claimed in its analysis of the attack, stems from its injection into a legitimate software supply chain: Ukrainian software firm M.E.Doc was one of the first to become infected then unwittingly transmitted the malware to users of its eponymous accounting software using the official software update channel.
Microsoft has confirmed that installing March's MS17-010 security update and closing the Server Message Blocks (SMB) security vulnerability is enough to protect against PetrWrap's primary infection vector, and additionally recommends that users disable the outdated SMBv1 protocol and block incoming traffic on ports 139 and 445 as well as disabling remote WMI and file sharing if enabled.
The majority of anti-virus packages, including Microsoft's own Windows Defender family, have received updates to detect PetrWrap, though can do little for systems which are infected and with files already encrypted. The advice for these users is, as always, to restore from a known-clean backup.
April 3 2020 | 14:09