Source: Sophos Naked Security
Editor’s note: Sophos customers can follow the technical updates in this Knowledge Base Article, which includes a list of the variants we’re detecting and blocking. This article will also be updated as new details emerge.
SophosLabs has determined that new variants of Petya ransomware (also known as GoldenEye) are behind the massive online outbreak that spread across Europe, Russia, Ukraine and elsewhere today. Others in the security industry are calling it PetrWrap.
What makes the new threat different is that it now includes the EternalBlue exploit as a way to propagate inside a targeted network. The exploit attacks the Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit proved instrumental in last month’s spread of WannaCry.
Petya also attempts to spread internally by breaking admin passwords and infecting other PCs on the network using remote admin tools. It can also spread internally by infecting network shares on other computers.
It does so by running credential-stealing code to break user account passwords and deploy ransomware. To infect remote computers, it comes bundled with a legitimate remote admin tool called PsExec from Microsoft’s SysInternals suite.