[German]According to several sources, the Petya ransomware is back in a modified version, infecting worldwide heavily computer systems from enterprises, banks, and power supplies.
Currently it's speculated, that the modified Petya version (calles PetyaWrap) is using the ETERNALBLUE exploit known from WannaCryp ransomeware to spread over networks using an unpatched SMBv1 vulnerability.
Infections worldwide
Russian news agency TASS reported (English), that systems from companies in Russia and Ukraine are affected. This tweet contains the same message
A new #WannaCry-like massive attack on Russian and Ukrainian #Critical #Infrastructue discovered. More countries expected #Petya #infosec pic.twitter.com/hRDPHKAC8R
— Group-IB (@GroupIB_GIB) 27. Juni 2017
The Hacker News wrote, that worldwide companies, banks, energy supplier in Russia, Ukraine, Spain, France, Britain, India and other countries are affected. German Beiersdorf AG (Nivea) seems also a victim.
How PetyaWrap works
The ransomware reboots the computer system and encrypts the Master File Table (MFT) of accessible hard disks, to lock access to the stored data. Then a message is shown (see this tweet).
Huge Global #CyberAttack / #Ransomware spreading right now. Its a #Petya variant that spreads through SMB and #EternalBlue exploit. pic.twitter.com/fjP60jS6p9
— George Argyrakis (@gargyrakis) 27. Juni 2017
Antivirus vendor AVIA confirms attacks from PetyaWrap using ETERNALBLUE exploit:
The #Petya #ransomware is back using the #EternalBlue exploit – and our #Antivirus customers are protected! #infosec pic.twitter.com/fWap1rRLeA
— Avira (@Avira) 27. Juni 2017
Avira claims that its customers are protected. According to Virus Total, only 16 of 61 AV products detects PetyaWrap. If the text:
"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."
is shown on your screen, the system is affected. The ransomware requests 300 US $ as bitcoins.
What to do?
First of all, install the patches provided by Microsoft, to close the SMBv1 vulnerability used by ETERNALBLUE exploit. Then check, whether the AV solution used within your organisation detects PetyaWrap. And at least warn your user, that ransomware is spread via an e-mail campaign – probably within an attachment. Further details may be found within The Hacker News article.
https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/