Update: We've discovered a vaccination that disables the NotPetya ransomware.
Ransomware with functionality that’s similar to Petya ransomware has infected organizations across Europe, bringing business to a standstill. Ukraine businesses have so far beared the brunt of the attack. Supermarkets, gas stations and banks in the country along with its public transportation system and major telecommunications provider reported that their systems have been compromised. Like the WannaCry attack, this ransomware supposedly uses the EternalBlue exploit to spread.
Other affected organizations include British advertising agency WPP, Danish shipping company Maersk and Russian oil company Rosneft. The infection began Tuesday morning as European workers arrived at the office and turned on their computers and is believed to be spreading west as the day progresses.
After infecting systems, the ransomware demands $300 in bitcoin. As of 2:30 p.m. EST, blockchain records show that 27 transactions have been made to the target wallet, totaling $6,820.
The attack shares some of the functionality of the Petya ransomware family, but cannot be conclusively tied to that family or campaign as of yet.
Below are action steps the Cybereason Intelligence Team recommends for prevention and mitigation:
Add the following hashes to your blacklist, and if the prevention driver is installed, mark them for prevention.
If you are not using SysInternals’ PSExec as an administrative tool in your environment, consider blacklisting the hash of the psexec version that is used in the attack:
Add the following IPs and domains to your firewalls and other network control measures (inbound and outbound):
Block SMBv1 across your organization to prevent lateral movement. Block SMB traffic from the internet to your internal network ranges.
Patch all Windows distributions against the EternalBlue exploit (Patch MS17-010).
Install an MBR filter by TalosIntelligenceNote: this tool is not officially supported or endorsed by cybereason; liability remains with the user.
Instruct users that if the machine suddenly and inexplicably restarts - shut it down immediately and don't restart it. IT Support Teams can restore the original MBR using a Windows boot disk to prevent encryption of files if the machine is powered off quickly enough.
Turn on secure boot when applicable (mostly laptops)