BREAKING NEWS! Petya Ransomware Spreading Like WildfireComputers That Werk Blog Writer
On June 27 at approximately 10:30 UTC, a new ransomware family began propagating across multiple countries. The family, referred to as PetrWrap, is noteworthy because it combines traditional ransomware behavior with stealthy propagation techniques and a destructive attack element.
This is PetrWrap, a new ransomware tool built from the bones of Petya, which held users’ files for “ransom” and demanded usually egregious payment in exchange for the encryption key earlier this spring. Without getting too deep in the weeds, PetrWrap is essentially a revision on this method that subverts protections put in place following Petya’s outbreak.
According to the BBC, the PetrWrap ransomware has already infected computers within some major national infrastructures and some of the world’s largest institutions. Namely, the Ukranian power company, its central bank and Kiev’s main airport have suffered attacks from the ransomware.
Other victims of note include the Chernobyl nuclear power plant, Danish shipping company Maersk as well as victims in the US, including pharmaceutical firm Merck and the US offices of a law firm known as DLA Piper, The Verge reports.
Our investigation shows that this attack both encrypts files and the Master Boot Record (MBR) and can spread rapidly using several techniques, including the “EternalBlue” exploit of a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin. It can also spread by using a variant of the Microsoft PsExec tool in combination with admin credentials from the target computer.
All of our current managed IT service clients are protected with Bitdefender.
We will continue to update this post as more information is released and as we complete additional research.