Story of Petya ransomware was starting to calm down already after making rounds during last week. Now, however, it seems that the story isn’t over yet. In the slipstream of Petya infections in Ukraine, a new ransomware dubbed FakeCry is now spreading. The new ransomware seems to spread from the same MeDoc service which was suggested as one of the initial sources of infections for Petya.
Petya ransomware has already been around for months as a more traditional malware that spreads through e-mail. The new developments in this case involve the addition of tips and tricks taken from WannaCry ransomware, the last big thing that hit the world close to a month ago. Instead of just relying on e-mail, the malware now targets actual vulnerabilities in autonomous fashion. The exploit coined Eternal Blue is also involved here in helping the malware spread. There are also reports that there might be more to the case but so far the information is conflicting.
Many instances of the case have been reported through media and within forums like Twitter. The hashtag #petya is currently full of discussions, reports and notes from different companies reporting breaches and discoveries.
So far, it looks like activities done to combat WannaCry earlier are also effective here. The more traditional malware version spread over e-mail is a different story as it relies on infecting the machine through user activity rather than exploiting specific vulnerabilities.
The Petya ransomware has been studied in the past by various security professionals. On basic level, the malware follows the common principles of ransomware - files are encrypted and by paying money, you can get them back. The additional twist here is that the malware takes over MBR, the part responsible for booting up the computer initially. This essentially renders the machine inoperable from the start once it gets shut down once.
The incident is currently active around Europe and in Russia. The situation might develop during the coming hours depending on how the spread of the malware can be confined. Nixu's Cyber Defense Center is currently investigating and following up on this incident. More information will come as the situation develops.
In order to protect your organization:
- Ensure that patching has been done properly. This should have been a lesson learned after WannaCry and activities done then likely help here as well
- Be prepared for when new emergency patches start rolling in, both from application and server vendors and anti-virus companies. Ensure that relevant people are in stand-by mode to ensure rapid response
- Implement monitoring in key points in your infrastructure to detect incidents such as this. In this case, unusual writing patterns could suggest that something is wrong
- Where possible, disconnect critical network shares or similar from production systems if you detect unusual spikes in writing which cannot be explained otherwise to protect at least some of the files from corruption.
Originally published at 19:35 EET on June 27, 2017.
Note that this article discusses current on-going events and some information may have changed since publishing.