Editor’s note: Sophos customers can follow the technical updates in this Knowledge Base Article, which includes a list of the variants we’re detecting and blocking. This article will also be updated as new details emerge.
SophosLabs has determined that new variants of Petya ransomware (also known as GoldenEye) are behind the massive online outbreak that spread across Europe, Russia, Ukraine and elsewhere today. Others in the security industry are calling it PetrWrap.
What makes the new threat different is that it now includes the EternalBlue exploit as a way to propagate inside a targeted network. The exploit attacks the Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit proved instrumental in last month’s spread of WannaCry.
Petya also attempts to spread internally by breaking admin passwords and infecting other PCs on the network using remote admin tools. It can also spread internally by infecting network shares on other computers.
It does so by running credential-stealing code to break user account passwords and deploy ransomware. To infect remote computers, it comes bundled with a legitimate remote admin tool called PsExec from Microsoft’s SysInternals suite.
Sophos protection
Customers using Sophos Endpoint Protection are protected against all the recent variants of this ransomware. We first issued protection on June 27th at 13:50 UTC and have provided several updates since then to further protect against possible future variants.
In addition, customers using Sophos Intercept X were proactively protected with no data encrypted from the moment this new ransomware variant appeared.
Further to that, customers may choose to restrict the use of PsExec and other dual-use administrative tools on their network. Sophos Endpoint Protection provides PUA detection for psexec and other remote administration programs that don’t need to be available on every PC and to every user.
Defensive measures
Here’s what we urge you to do right now:
- Ensure systems have the latest patches, including the one in Microsoft’s MS17-010 bulletin.
- Consider blocking the Microsoft PsExec tool from running on users’ computers. A version of this tool is used as part of another technique used by Petya to spread automatically. You can block it using a product such as Sophos Endpoint Protection.
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
- Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
- Download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorized encryption of files and sectors on your hard disk.
To avoid cyberattacks that sneak in via email, see:
- To defend against ransomware in general, see our article How to stay protected against ransomware
- To get a better understanding of phishing, read our explainer article
- To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad
- To protect against misleading filenames, tell Explorer to show file extensions
- To learn more about ransomware, listen to our Techknow podcast
- To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac