Since 27 June 2017, there have been numerous media coverage of a ransomware attack on large multinationals and companies around the world, with similar behaviors to WannaCry, but whose malware comes from a variant of "Petya" ransomware.
This summary is intended to provide more information regarding the ransomware, and provide guidelines to prevent and mitigate infection.
This means that if a machine is already patched, it will try to use the credentials extracted from memory to spread. To obtain the credentials, the ransomware will need to execute the EternalBlue or EternalRomance exploit for MS17-010
What does it encrypt?
This variant of Petya does not encrypt files on the targeted system. Instead it reboots the target computer, and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system. Petya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.The ransomware will start encrypting files after reboot.
The ransomware sets a scheduled task to automatically reboot after one hour.
What can you do to prevent infection?
Note: These suggested solutions are provided only as a guide and are not meant to be a comprehensive solution to protect your organization from potential attacks by the ransomware. KPMG is not liable for any loss or damages in the event such proposed solutions adopted are not pursuant to a formalized engagement between your organization and KPMG.
Learn more about KPMG’s cyber security services.