A massive ransomware attack has hit businesses around the world, causing major companies to shut down their computer systems. Researchers are still investigating the software behind the attack, warning that it's more sophisticated than the WannaCry worm that struck hundreds of thousands of computers across the globe last month.
SImilar to Wannacry, many of the alleged attacks involve a piece of ransomware that displays red text on a black background and demands $300 bitcoin. It reads, "If you see this text, then your files are no longer accessible, because they are encrypted.Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."
This strain of ransomware is believed to be known as Petya or Petrwap, a highly sophisticated Russian strain, without the errors that WannaCry contained, and no kill switch . The Petya attacks are believed to have taken advantage of the EternalBlue exploit previously leaked by a group known as The Shadow Brokers. EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a flaw in the Microsoft system. Although Microsoft released a patch for the flaw in March, not all companies have updated their system to contain this patch and are therefore vulnerable to Petya's infection.
If You Have Not Done So Yet, Apply This Patch Immediately.
From what we have been able to learn, this new worm spreads through small and midsize businesses just like WannaCry. Machines behind firewalles are impacted from at-risk host listening to inbound connections. It would only take one machine behind the firewall to become infected to then put all other workstations and servers at risk. Worm's are meant to replicate themselves in order to move from computer to computer on the same server; therefore, it is important to block inbound connections on TCP Port 445.
In the meantime, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the "MS17-010" security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails.
Read our blog on WannaCry ransomware here for tips to prevent becoming a victim of ransomware, and what to do if your computer becomes infected!