Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Petya ransomware variant strikes on a global scale

October 20, 2017

  • Blog
  • Archive

Firms across the globe have been hit by a variant of the Petya or Petwrap strain of ransomware impacting Windows servers, PCs, and laptops. Initial reports suggest this latest attack struck The Ukraine initially but it has quickly spread to many other countries including Russia, Spain, France, the UK, The Netherlands, and the US. Currently the attackers are asking for $300 worth of Bitcoins to retrieve access to data.

So far, many high-profile organizations across the globe have been impacted and national infrastructure in the Ukraine has also been badly affected including the state power utility, Kiev’s airport, and metro system. The attack, at this stage, appears to be smaller in scale than the WannaCry outbreak back in May, but we’ll be monitoring its scale and impact over the coming hours and days. At the time of writing, Kaspersky estimated around 2,000 users had been affected.

So what do we know about Petya?

Though this is suspected to be a variant of Petya, this form of ransomware isn’t a new phenomenon and has been around for a few years. What we know is that Petya is incredibly quick to spread and acts slightly differently to more traditional forms of ransomware. Rather than encrypting files one by one, Petya encrypts the location containing sensitive data, preventing access to those parts of the network.

The usual entry point for Petya is through an email containing a Dropbox URL or an attachment and the executable usually differs from one dropper to another. In the examination of previous instances of Petya it’s also common to see this type of ransomware specifically targeting admin accounts to propagate across the corporate network. In order for Petya to execute it needs to run with admin privileges.

This current Petya attack appears to be using the same EternalBlue exploit as WannaCry. EternalBlue was leaked by the Shadow Brokers hacker group in April and was developed by the US National Security Agency.

Could it have been avoided?

The short answer is yes. In the immediate aftermath of the WannaCry attack, it became clear that many organizations had failed to regularly update and patch their systems, with many relying on antiquated operating systems to keep the business running. While we’ve only just begun to understand how this latest attack operates, I’d suspect that some of those organizations impacted had dropped the ball when it came to basic security hygiene.

We also know from previous Petya attacks that it depends on victims executing the malware with administrator rights on Windows in order to have file system level access. Without admin rights it will fail, underlining once again the importance of adopting a least privilege approach to security.

It’s critical that businesses implement this security best practice, including regular patching, application control and removing admin rights. In our testing, we found that these simple measures prevented the majority of cyber attacks.

Who is to blame?

Speculation as to who is behind this attack will now begin and the obvious finger pointing will focus on nation states. North Korea has been heavily linked with last month’s WannaCry attack. However, this attack could just as easily originate from a sophisticated organized crime unit. You don’t need to be technical or have the resources of a nation state to write this type of malware, there are novices doing this using toolkits readily available on the Dark Web.

As more information on this latest Petya attack becomes available, we’ll be providing more insight and analysis on the Avecto blog page. For more information on ransomware attacks and ways to mitigate against them, visit www.avecto.com

Andrew Avanessian

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.