{"id":3164,"date":"2017-06-27T18:11:23","date_gmt":"2017-06-27T16:11:23","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=3164"},"modified":"2021-07-31T22:48:34","modified_gmt":"2021-07-31T20:48:34","slug":"petya-ransomware-is-back-using-wannacry-vulnerabilties","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/06\/27\/petya-ransomware-is-back-using-wannacry-vulnerabilties\/","title":{"rendered":"Petya ransomware is back &ndash; using WannaCry vulnerabilties"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"http:\/\/www.borncity.com\/blog\/2017\/06\/27\/achtung-petya-ransomware-befllt-weltweit-system\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]According to several sources, the Petya ransomware is back in a modified version, infecting worldwide heavily computer systems from enterprises, banks, and power supplies. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/665b171baa5442249df144f52adbee84\" width=\"1\" height=\"1\">Currently it's speculated, that the modified Petya version (calles PetyaWrap) is using the ETERNALBLUE exploit known from WannaCryp ransomeware to spread over networks using an unpatched SMBv1 vulnerability. <\/p>\n<h2>Infections worldwide <\/h2>\n<p>Russian news agency TASS <a href=\"https:\/\/web.archive.org\/web\/20201112005040\/https:\/\/tass.com\/world\/953528\" target=\"_blank\" rel=\"noopener\">reported<\/a> (English), that systems from companies in Russia and Ukraine are affected. This <a href=\"https:\/\/twitter.com\/GroupIB_GIB\/status\/879687387235971073\" target=\"_blank\" rel=\"noopener\">tweet<\/a> contains the same message <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">A new <a href=\"https:\/\/twitter.com\/hashtag\/WannaCry?src=hash\">#WannaCry<\/a>-like massive attack on Russian and Ukrainian <a href=\"https:\/\/twitter.com\/hashtag\/Critical?src=hash\">#Critical<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Infrastructue?src=hash\">#Infrastructue<\/a> discovered. More countries expected <a href=\"https:\/\/twitter.com\/hashtag\/Petya?src=hash\">#Petya<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash\">#infosec<\/a> <a href=\"https:\/\/t.co\/hRDPHKAC8R\">pic.twitter.com\/hRDPHKAC8R<\/a><\/p>\n<p>\u2014 Group-IB (@GroupIB_GIB) <a href=\"https:\/\/twitter.com\/GroupIB_GIB\/status\/879687387235971073\">27. Juni 2017<\/a><\/p><\/blockquote>\n<p><span id=\"preserve433c731b8bbc4461ac514df416e2334c\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p><a href=\"http:\/\/thehackernews.com\/2017\/06\/petya-ransomware-attack.html\" target=\"_blank\" rel=\"noopener\">The Hacker News<\/a> wrote, that worldwide companies, banks, energy supplier in Russia, Ukraine, Spain, France, Britain, India and other countries are affected. German Beiersdorf AG (Nivea) seems also a victim. <\/p>\n<h2>How PetyaWrap works<\/h2>\n<p>The ransomware reboots the computer system and encrypts the Master File Table (MFT) of accessible hard disks, to lock access to the stored data. Then a message is shown (see this <a href=\"https:\/\/twitter.com\/gargyrakis\/status\/879720118493818880\" target=\"_blank\" rel=\"noopener\">tweet<\/a>).<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">Huge Global <a href=\"https:\/\/twitter.com\/hashtag\/CyberAttack?src=hash\">#CyberAttack<\/a> \/ <a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash\">#Ransomware<\/a> spreading right now. Its a <a href=\"https:\/\/twitter.com\/hashtag\/Petya?src=hash\">#Petya<\/a> variant that spreads through SMB and <a href=\"https:\/\/twitter.com\/hashtag\/EternalBlue?src=hash\">#EternalBlue<\/a> exploit. <a href=\"https:\/\/t.co\/fjP60jS6p9\">pic.twitter.com\/fjP60jS6p9<\/a><\/p>\n<p>\u2014 George Argyrakis (@gargyrakis) <a href=\"https:\/\/twitter.com\/gargyrakis\/status\/879720118493818880\">27. Juni 2017<\/a><\/p><\/blockquote>\n<p><span id=\"preservede5c39d934374095a8731ab2c0f7c0d0\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Antivirus vendor AVIA <a href=\"https:\/\/twitter.com\/Avira\/status\/879696783047352320\" target=\"_blank\" rel=\"noopener\">confirms<\/a> attacks from PetyaWrap using ETERNALBLUE exploit:<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">The <a href=\"https:\/\/twitter.com\/hashtag\/Petya?src=hash\">#Petya<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash\">#ransomware<\/a> is back using the <a href=\"https:\/\/twitter.com\/hashtag\/EternalBlue?src=hash\">#EternalBlue<\/a> exploit &#8211; and our <a href=\"https:\/\/twitter.com\/hashtag\/Antivirus?src=hash\">#Antivirus<\/a> customers are protected! <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash\">#infosec<\/a> <a href=\"https:\/\/t.co\/fWap1rRLeA\">pic.twitter.com\/fWap1rRLeA<\/a><\/p>\n<p>\u2014 Avira (@Avira) <a href=\"https:\/\/twitter.com\/Avira\/status\/879696783047352320\">27. Juni 2017<\/a><\/p><\/blockquote>\n<p><span id=\"preserve284ff1ac244a492886bf7387802c7d19\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Avira claims that its customers are protected. According to <a href=\"https:\/\/virustotal.com\/fr\/file\/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\/analysis\/\" target=\"_blank\" rel=\"noopener\">Virus Total<\/a>, only 16 of 61 AV products detects PetyaWrap. If the text:<\/p>\n<blockquote>\n<p>\"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service.\"<\/p>\n<\/blockquote>\n<p>is shown on your screen, the system is affected. The ransomware requests 300 US $ as bitcoins. <\/p>\n<h2>What to do?<\/h2>\n<p>First of all, install the patches provided by Microsoft, to close the SMBv1 vulnerability used by ETERNALBLUE exploit. Then check, whether the AV solution used within your organisation detects PetyaWrap. And at least warn your user, that ransomware is spread via an e-mail campaign \u2013 probably within an attachment. Further details may be found within <a href=\"http:\/\/thehackernews.com\/2017\/06\/petya-ransomware-attack.html\" target=\"_blank\" rel=\"noopener\">The Hacker News<\/a> article. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]According to several sources, the Petya ransomware is back in a modified version, infecting worldwide heavily computer systems from enterprises, banks, and power supplies.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[549,243,194],"class_list":["post-3164","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-petya","tag-ransomware","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/3164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=3164"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/3164\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=3164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=3164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=3164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}