Today a new malware variant has surfaced. Our vendors’ current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement inside an affected network. This behavior is unlike WannaCry, as there does not appear to be an external scanning component. Additionally, there may also be a psexec vector that is also used to spread internally.
Petya, a major new global ransomware attack is moving swiftly across the globe, and the number of companies and agencies reportedly affected by this ransomware campaign is increasing at an alarming rate. The malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware, similar to the “WannaCry” variant from May. The “Petya” ransomware spreads via spam emails and web links that appear to contain “invoices, job offers, security warnings and other legitimate files”. The messages left on the infected screen say files will remain encrypted until a Bitcoin ransom is paid.
We are actively assessing the risk to our managed service clients, including auditing Windows and antivirus/antimalware patch levels on servers, workstations, and relevant security systems. Please inform your staff to be extraordinarily suspicious of all e-mails received. If it looks suspicious, assume it is suspicious and do not open any email attachments or click on Web links. Contact the sender to confirm the authenticity of the attachments or links.