Content, Breach, Malware, Ransomware

Petya, Goldeneye Ransomware Attacks: 10 Cybersecurity Experts Offer Advice, Views

As the latest Petya (aka Petwrap) and Goldeneye ransomware attacks continue to spread, cybersecurity software and cloud companies are working to analyze the malware while guiding customers and partners to safety. Here's a sampling of statements and perspectives from 10 (actually 12) cybersecurity companies that are tracking today's ransomware attacks.

Note: Keep in mind that the statements surfaced at different times throughout the day (June 27, 2017). Check in with each vendor for their latest findings and advice on mitigating the malware.

1. Avast: "We have seen 12,000 attempts today by malware to exploit EternalBlue, which we detected and blocked. Data from Avast’s Wi-Fi Inspector, which scans networks and can detect if an Avast PC or another PC connected to the same network is running with the EternalBlue vulnerability, shows that 38 million PCs that were scanned last week have not patched their systems and are thus vulnerable. The actual number of vulnerable PCs is probably much higher. The top 4 targeted operating systems, according to our data, are (in order): Windows 7 (78%), Windows XP (14%), Windows 10 (6%) and Windows 8.1 (2%)."

2. Cylance: "A new ransomware outbreak has been rapidly propagating across computer networks globally, starting earlier in the afternoon (UTC) today on June 27. ... CylancePROTECT customers are fully protected from this threat, and have been since October 14, 2015 with our 1310 model release. The new Petya-like attack demonstrates the benefit of our temporal predictive advantage, which enables CylancePROTECT to block this new ransomware threat without an update."

3. Glasswall (Simon Taylor, VP of products): “This appears to be yet another targeted and sustained attack perpetrated simply by amending a previously successful virus that was supposedly neutralized."

Jonathan Levine, Intermedia

 4. Intermedia (Jonathan Levine, CTO): "For immediate vigilance, Petya may be spreading via email, so it’s crucial for businesses to proceed with extra caution when opening attachments, as the strain has been seen with extensions .apx, .js, .rar, .pdf and .iso. We don’t want to repeat WannaCry, so having a security plan in place that detects viruses in email attachments is now more important than ever.” 

Phil Richards

5. Ivanti (Phil Richards, CISO): “The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016. The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017. This malware appears to have been targeted to Ukraine infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers. Since the initial infection it has spread to other markets, and beyond the Ukraine boarders. The actual malware is ransomware, requesting a ransom equivalent to $300 USD in bitcoins. The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software. This is a great example of two malware components coming together to generate more pernicious and resilient malware.”

6. Kaspersky Lab: "This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within corporate networks. More technical info on the attack."

McAfee Chief Scientist Rah Samani

7. McAfee (Raj Samani, Head of Strategic Intelligence): "McAfee has received multiple reports of modified variants of the Petya ransomware variants. McAfee Labs is analyzing these samples and advising customers on how to address the threat in their environments. This outbreak does not appear to be as great as WannaCry but the number of impacted organizations is significant. It appears that its using the same propagation method as WannaCry, at least based on the data we have right now. Anybody running Operating Systems that have not been patched for the vulnerability WannaCry exploited could be vulnerable to this attack."

 8. Sophos: "What makes the new threat different is that it now includes the EternalBlue exploit as a way to propagate inside a targeted network. The exploit attacks the Windows Server Message Block (SMB) service, which is used to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin in March, but the exploit proved instrumental in last month’s spread of WannaCry."

9. Symantec: "Symantec Endpoint Protection (SEP) and Norton products proactively protect customers against attempts to spread Petya using Eternal Blue. SONAR behavior detection technology also proactively protects against Petya infections. Symantec products also detect Petya components as Ransom.Petya."

10. Trend MicroA large-scale ransomware attack reported to be caused by a variant of the Petya ransomware is currently hitting various users, particularly in Europe. This variant, which Trend Micro already detects as RANSOM_PETYA.SMA, is known to use both the EternalBlue exploit and the PsExec tool as infection vectors. Users and organizations are thus advised to perform the following mitigation steps immediately in order to prevent and avoid infection:

  • Apply the security patch MS17-010
  • Disable TCP port 445
  • Restrict accounts with administrator group access

Trend Micro also protects its customers against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen security. We are currently analyzing this threat and will update this post as more details become available."

Usman Choudhary, VIPRE Security

11. VIPRE Security: "The attack is complex and infiltrating from several vectors, one of which is a fake Microsoft Digital Certificate that ultimately clears the Windows event log before shutting down the machine and encrypting its files. VIPRE Advanced Security blocks the currently known samples of this new ransomware variant and users that are running a VIPRE security solution for business or home are not in danger. VIPRE labs has initiated its own analysis on this attack and we will be making updates as more information is available." Side note: Chief Product Officer Usman Choudhary calls the attack code rather creative, given its double encryption design.

12. Webroot: "Webroot’s threat researchers have confirmed that this ransomware is a variant of an older attack dubbed Petya, except this time the attack uses EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack. While this variant appears to be an upgraded version of Petya, there is no confirmation that this attack is from the same author. This variant mirrors Petya in that it encrypts the Master File Table (MFT) by overwriting the bootloader code, though unlike previous versions, it encrypts files based on file extension. The system fails to boot as usual and the end user instead sees a screen that appears similar to DOS and demands payment. The shot below depicts the preparation of the EternalBlue triggering packet." Webroot customers are protected against this attack, the company added.

Stay tuned to MSSP Alert's home page for the latest on this outbreak.


Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.