Petya Ransomware

Last week saw the emergence of yet another new ransomware, this one related to the Petya family. It happened on Tuesday, June 27, showing up in Ukraine and quickly spreading out across Europe on a scale initially thought to be comparable to the recent WannaCry outbreak.

It all started with M.E.Doc, a Ukrainian accounting program that was the main point of origin for the infection. The software was compromised by attackers, who then launched a trojan program update that was sent out to users of the program. This was how the initial wave in the campaign began.

The rapid spread of Petya was due in large part to the frighteningly effective combination of using the “EternalBlue” exploit (also used recently by WannaCryptor) to gain access to networks and then using PsExec to infect other devices connected to the same network as the infected computer. So when the trojan update for M.E.Doc was downloaded, the ransomware took over that computer and then spread to any other connected devices.

Everything connected to that network then had its files and/or drives encrypted so that they could not be accessed. People’s computers were basically turned into bricks. They weren’t usable.

With M.E.Doc as the source, it is no wonder that Ukraine was affected the most. The software is incredibly popular in Ukraine—used by roughly 80% of Ukranian companies across numerous industries—but it is not much used outside of the country. The ransomware did spread out to other European countries like Germany and Poland, but luckily the outbreak had only a minimal impact on non-European countries.

At this point in time the ransomware has been largely contained and patches have been released to fix any vulnerabilities. The danger from Petya and ransomware in general is still there and always will be, but this specific outbreak is over.

How to stay protected against future outbreaks:

  • Use reputable antimalware protection software and keep it up to date
  • Make sure that you always have all of the current Windows patches and updates installed to address any system vulnerabilities
  • Ensure that your Cloud provider utilizes data protection services such as ESET and Sophos