Petya ransomware is back – using WannaCry vulnerabilties

[German]According to several sources, the Petya ransomware is back in a modified version, infecting worldwide heavily computer systems from enterprises, banks, and power supplies.


Currently it's speculated, that the modified Petya version (calles PetyaWrap) is using the ETERNALBLUE exploit known from WannaCryp ransomeware to spread over networks using an unpatched SMBv1 vulnerability.

Infections worldwide

Russian news agency TASS reported (English), that systems from companies in Russia and Ukraine are affected. This tweet contains the same message

The Hacker News wrote, that worldwide companies, banks, energy supplier in Russia, Ukraine, Spain, France, Britain, India and other countries are affected. German Beiersdorf AG (Nivea) seems also a victim.

How PetyaWrap works

The ransomware reboots the computer system and encrypts the Master File Table (MFT) of accessible hard disks, to lock access to the stored data. Then a message is shown (see this tweet).


Antivirus vendor AVIA confirms attacks from PetyaWrap using ETERNALBLUE exploit:

Avira claims that its customers are protected. According to Virus Total, only 16 of 61 AV products detects PetyaWrap. If the text:

"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

is shown on your screen, the system is affected. The ransomware requests 300 US $ as bitcoins.

What to do?

First of all, install the patches provided by Microsoft, to close the SMBv1 vulnerability used by ETERNALBLUE exploit. Then check, whether the AV solution used within your organisation detects PetyaWrap. And at least warn your user, that ransomware is spread via an e-mail campaign – probably within an attachment. Further details may be found within The Hacker News article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

One Response to Petya ransomware is back – using WannaCry vulnerabilties

Leave a Reply

Your email address will not be published. Required fields are marked *