Tuesday June 27th, just a little over than a month had past since the Wannacry ransomware campaign and in just a few hours multiple reports of a worldwide outbreak regarding a new ransomware campaign, some say it is a new variant of "Petya” others call it “NotPetya”.
The new Petya ransomware variant infections broke out beginning at the Ukraine and spread from there to other countries. This proliferation of this Ransomware is believed to begin with a malicious email containing a ransomware imbedded in a password protected Word file.
What does it do? Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable.
Open-source reports indicate that the after opening the attached file, the infected machine communicates with the 188.8.131.52 IP address. Following opening a communication channel between the infected machine and the malicious C&C, a screenshot appears which displays that a scan of the hard disk is in progress (CHKDSK). It is believed that this is when the distribution of the ransomware within the network begins using several communication protocols such as SMBv1, and a number of additional protocols and lists 139, 445, and 135.
The ransomware scans the computer folders and encrypts most of the useful files and data.
After encryption, the ransomware displays a message that requires the user to pay hundreds of dollars for the de-encryption of the data. Victims have a specific amount of time to pay, if payment is not made by the deadline the ransom increases.
CYMULATE POINT OF VIEW
Organizations that tested their security and identified vulnerabilities through Cymulate, were presented with mitigation procedures for other ransomwares which also mitigated the vulnerability that this new threat used. Many organizations would have avoided the attack if they had used Cymulate, hence the importance of continuous testing, identification of vulnerabilities and mitigation.
To test yourself today, visit our website, register and try for free our Immediate threat sample of the NotPetya ransomware.