On the heels of the recent WannaCry attack, Europe has been hit with a new ransomware variant known as Petya. Ukraine reported ransom demands targeting the government and key infrastructure, and the Danish Maersk conglomerate said many of its systems were down.
This ransomware uses both social engineering via email to download the malicious file, either as a ZIP or PDF. It looks to exploit a vulnerability in Microsoft Office when handling RTF documents (CVE-2017-0199). It also looks to utilize the same vulnerability as WannaCry in the SMBv1 file sharing protocol (Microsoft security bulletin MS17-010). Note there is NO KILL SWITCH implemented in this new ransomware, so it has clearly evolved since the WannaCry attack.
This ransomware is an evolution of the original Petya malware from 2015 which modifies the Master Boot Record (MBR). Unlike the original version this edition has been modified to exploit the new vulnerabilities in SMBv1 and encrypts all files rather than just the MBR in the original.
How to protect yourself
If you have not done so, you should install the MS17-010 patch from Microsoft.
Researchers have also found a way to vaccinate your computer from the ransomware by creating a readonly directory and files on your machine. Use the following commands when running the command prompt as administrator:
attrib +R C:\Windows\perfc
attrib +R C:\Windows\perfc.dll
attrib +R C:\Windows\perfc.dat
Once these files have been created the encryption will no longer run.
More details of this attack will be updated as they are discovered.