Alert

Petya Ransomware Global Outbreak

Updated

A new version of ransomware dubbed Petya has been infecting computers globally and is causing numerous organizations to stop operations. Petya uses the same SMB EternalBlue exploit used by WannaCry, however it uses additional infection techniques such as document phishing attacks and is much more disruptive. In addition to encrypting files, it encrypts the Master File Table (MFT), the structure used by the Operating System to identify the location of files and directories, as well as overwrites the Master Boot Record (MBR) with a custom built one. The new MBR instead of booting into Windows, now boots to a ransom request screen, which cannot be bypassed, and reinstalling the MBR will not help as the files and the MFT are encrypted. Unlike WannaCry, there is no kill switch to disable it and there are currently no decryption tools available.

Due to the impact caused by EternalBlue, Microsoft previously released patches not only for supported Operating Systems (OSs) but also for non-supported OSs such as XP, 2003 and 8. If you have not already applied the patches, the IT Security Office strongly encourages you to do so; for patch guidance visit https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/.