Originally published at 8:00 EET on July 6, 2017
Note that this article discusses current on-going events and some information may have changed since publishing.
Story of Petya ransomware was starting to calm down already after making rounds during last week. Now, however, it seems that the story isn’t over yet. In the slipstream of Petya infections in Ukraine, a new ransomware dubbed FakeCry is now spreading. The new ransomware seems to spread from the same MeDoc service which was suggested as one of the initial sources of infections for Petya. Based on reports from many sources, the malware is hitting some of the same systems that were initially hit by Petya.
Details on the new wave of attacks are still unclear. What seems clear so far is that the same MeDoc service which was involved in the first wave of attacks has again been linked to distribution of the new malware. It has been suggested that the automatic patching service pushed malicious updates to the clients, infecting them first with the Petya malware and now with the new malware. There are also reports that the police is investigating the case and the company behind the service.
The new ransomware appears to share many of the features of the old one. Similar to the original Petya, reports so far are conflicting as far as details go. The new malware seems to have different kinds of features, some which look like they are designed to fool security professionals by appearing to be false leads. The timeline for the initial compromises are also unclear. Some report suggest that the malware was already spread along with the Petya malware. Others suggest that the malware is now spreading especially in Ukraine after the initial wave of Petya infections has started to die down.
To protect your organization against the new malware, verify the following:
- If your organization uses the MeDoc service in Ukraine, it’s highly recommended to consider removing it from important systems that may spread the infection further
- Ensure that your Windows systems are patched against the same vulnerabilities as WannaCry / Petya (bulletin MS17-010)
- Ensure that appropriate anti-virus software has been deployed on all systems
- Take backups from important systems into backup media or central system which cannot be overwritten by possibly infected systems
- Pay special attention to any systems deployed in Ukraine or which are used to do business with contacts there (e.g. through e-mail) to avoid spread of the malware through other channels
If your organization was hit by the malware, it is not recommended to pay the ransom at this stage. There is no evidence so far that paying the ransom would help in getting any files back.
Nixu’s Cyber Defense Center will continue to monitor the situation. New updates will be released once we know how the situation develops and what additional precautions are required, if any, on top of what was already done to prevent Petya infections.
For more coverage on events surrounding the spread of Petya malware, see our previous blog entries on the issue: