Symantec Security Response to Petya Ransomware Outbreak
Petya ransomware impacting large organisations in multiple countries.
This new strain of the Petya ransomware started propagating on June 27, 2017, infecting many organisations. Similar toWannaCry, Petya uses the Eternal Blue exploit to propagate itself.
What is Petya?
Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR).
In this latest attack, the following ransom note is displayed on infected machines, demanding that $300 in bitcoins be paid to recover files:
How does Petya
spread and infect computers?
Petya propagates itself by
exploiting the MS17-010 vulnerability, also known as Eternal
Blue. Symantec continues to investigate other possible
methods of propagation.
Who is impacted?
At time
of writing, Petya is primarily impacting organisations in
Europe.
Is this a targeted attack?
It’s unclear
at this time, however, previous strains of Petya have been
used in targeted attacks against organisations.
Am I
protected from the Petya Ransomware?
Symantec Endpoint
Protection (SEP) and Norton products proactively protect
customers against attempts to spread Petya using Eternal
Blue. SONAR behavior detection technology also proactively
protects against Petya infections. Symantec products also
detect Petya components as Ransom.Petya.
What are
the details of Symantec's protection?
Network-based
protection
Symantec has the following IPS protection in
place to block attempts to exploit the MS17-010
vulnerability:
• OS Attack: Microsoft SMB MS17-010
Disclosure Attempt (released May 2, 2017)
• Attack:
Shellcode Download Activity (released April 24, 2017)
Antivirus
• Ransom.Petya
Symantec is continuing to analyze this threat and will post further information as soon as it becomes available.
ENDS