Over the last 24-hours, a ransomware dubbed Petya has been rapidly spreading throughout Europe, infecting airlines, financial institutions and utilities. Just one month after the massive WannaCry attack that impacted hundreds of thousands of machines and crippled organizations from banks to law enforcement, Petya appears to be instigating similar global havoc.
Reminiscent of its predecessor, this latest strand of ransomware seems to be using previously observed SMB exploits. EternalBlue, an exploit released in April by The Shadow Brokers group and believed to have been developed by the NSA, and others, gives attackers the ability to spread laterally throughout systems. While details are still emerging, there have been reports of Petya using Windows Management Instrumentation Command-Line (WMIC) to also spread laterally, a tactical advantage for unwanted network visitors.
This might look like a WannaCry copycat, but it has the potential to be far more devastating. Petya encrypts entire hard disks as opposed to individual files, which for all intents and purposes turns the computer completely off. While the initial infection vector is primarily reported to be a targeted phishing attack that relies on an end user to execute a binary file, there have been some unconfirmed reports of EternalBlue being an infection vector as well.
As of right now, very few anti-virus/anti-malware suites detect this variant as malicious, giving perpetrators ample amount of dwell time in a vulnerable system. The worst thing you can give a hacker is unfettered access and time – unfortunately, Petya enables both.