Our company is actively monitoring the Petya/NotPetya ransomware outbreak and our best of breed end point protection platform is proactively protecting customers against this latest strain. We will update this blog post as more technical information about this attack is discovered,
What we know right now:
- The outbreak is using the EternalBlue exploit to spread laterally.
- It spreads through SMB using the psexec tool.
- This attack does appear to be using a similar method of collecting Bitcoin ransom that WannaCry had used, using only a small number of wallet address. The ransom demand is ~$300 USD.
- The email address used in the ransom request has since been shut down; so anyone who chooses to pay the ransom, may have difficulty retrieving their decryption key.
- We have yet to see if this outbreak has a kill switch
- Once executed, it overwrites the Master Boot Record and is then allowed to spread for an hour before forcing the machine to reboot.
- In addition, this outbreak has similar characteristics as Petya, such as infecting the MBR and encrypting files on the drive;** however, it is not clear yet that this is a Petya variant. Some reports are indicating that this is an entirely new form of ransomware, hence NotPetya.
We'll post more information as it becomes available.