A new ransomware outbreak has been rapidly propagating across computer networks globally, starting earlier in the afternoon (UTC) today on June 27. Before explaining the details of this latest outbreak, rest assured that CylancePROTECT® customers are fully protected from this threat, and have been since October 14, 2015 with our 1310 model release.
The new Petya-like attack demonstrates the benefit of our temporal predictive advantage, which enables CylancePROTECT to block this new ransomware threat without an update.
UPDATE 7/11/17: Read our Threat Guidance team’s latest ‘deep dive’ into Petya-like here.
UPDATE 8/15/17: For more information on the exploit used in WannaCry and Petya-Like, read our latest update on EternalPulsar here.
Watch Cylance protect against this new Petya-like ransomware:
VIDEO: Cylance vs. Petya-like Ransomware
The Petya-like ransomware exploits the same SMB vulnerability as WannaCry (EternalBlue) which ravaged systems globally back in May 2017. Mimicking WannaCry in its propagation, this malware exhibits the same worm-like capabilities (Windows SMBv1 sharing) to spread itself remotely with no user interaction needed. In addition, it also leverages password dumping capabilities to gather credentials, PsExec to remotely run WMIC to exploit the inherent trust inside of corporate networks to spread laterally within those environments.
The multitude of spreading mechanisms ensures this ransomware is far more versatile in propagating than WannaCry, with the ability to infect remote systems patched against the MS17-010 vulnerability. Importantly, this attack lacks a remote kill switch that significantly limited the impact and spread of WannaCry.
How is This Petya Variant Delivered?
EDITOR’S NOTE: While the attack vector remains an open question, we have confirmed that the malware contains multiple mechanisms to propagate. Our initial reporting suggested a phishing attack and was largely based on an RTF document leveraging CVE-2017-0199 linked in related analysis. Since then, we’ve analyzed this (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog