- Jeff Costlow
- June 26, 2017
Last month, the WannaCry ransomware infected thousands of machines around the world. This morning, computer systems from Russia to the U.S. were victims of another major cyberattack. Most are calling it "Petya", others are calling it GoldenEye. Like WannaCry, it is a ransomware campaign propagating at hyper-speed by utilizing the EternalBlue exploit. However, this variant does have some new tricks up its sleeve. It appears to encrypt the master boot record so that the infected machine does not boot properly, instead it displays a text ransomware screen.
The ExtraHop Rapid Response team is currently investigating. At the moment, here are our recommendations:
- Install the WannaCry/EternalBlue detector bundle. The new ransomware variant uses EternalBlue to spread.
- Install the Ransomware/CIFSv1 detection bundle.
- Install the SMB/CIFS Detection bundle to find machines that are still using SMBv1. Disable or patch these machines before they get infected.
We are expecting to have a Ransomware bundle update soon to help with detection.
While there are still many details to be sorted out about the source and impact of the attack, it's clear that ransomware is no longer something organizations of any size can ignore, and patching vulnerabilities cannot be put off. The scale of this attack thus far has come as a bit of a surprise given that it uses EternalBlue, the same vulnerability as WannaCry. How far it will spread is still in question given that many hosts have already been patched, but its impacts in Europe indicate that many organizations didn't do the work they needed to do on EternalBlue following the WannaCry attack.
The targets of this attack are also concerning. In addition to several major multinational corporations across numerous industries, Petya has also hit the public sector. Industry experts have long warned that ransomware could be used to target critical infrastructure, and what we're seeing in the Ukraine is precisely that scenario. Everything from the electrical grid to telecommunications to the metro system has been affected.
If it wasn't clear already, crossing your fingers and hoping for the best is not a workable strategy. Organizations need to be proactive in how they address the threat of ransomware.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/protect-your-organization-from-petya-ransomware/