As you’ve likely heard by now, on Tuesday 27 June there was a major global malware attack from Petrwrap ransomware that is currently affecting various organizations across Europe. This malware is believed to be a variant of the Petya malware first seen in March 2016.
Please be assured that KPMG’s teams are dedicated to assisting clients during this time of uncertainty and will be working around the clock to gather all the information we can on the nature of the malware and the mitigation actions. There are a number of appropriate technical and organizational measures that our teams are advising clients to take in order to mitigate the risk of Petrwrap ransomware and to help ensure you have the current details, we have put together a summary of the malware, how it is spread and immediate measures we recommend you take.
The Petrwrap ransomware is designed to encrypt the NTFS file system of an infected Windows system, denying you access to data. It will also replace the master boot record of the computer with code to display a ransom demand for $300 in bitcoins. The ransomware is also designed to spread aggressively within your local network environment.
There is evidence that the malware has been spread by a rich text file (RTF) attachment to a phishing email. This email has been carefully crafted to exploit a vulnerability (now patched) in the way Microsoft Office handles such files.
The malware also spreads with the local area network by exploiting vulnerabilities (also now patched) in the Microsoft Server Message Block (SMB) protocol which supports file sharing between Windows systems. This includes the same vulnerability used in the recent WannaCry malware attack.
The malware also has the capability to “harvest” user credentials from compromised systems and use these credentials to gain access to, and infect, additional systems on the local network.
Unlike the recent WannaCry incident, it has not been possible to discover a means of remotely disabling the malware (a “kill switch”), and as such there is a risk of aggressive spread within local networks.
There are indications that the creation of the file: "C:\Windows\perfc.dat" or blocking execution of this file using tooling such as Microsoft Applocker limits the infection. This does not prevent you from becoming infected, however there are indications that Petrwrap is limited in functionality.
Ensure the following communication and precautionary measures are undertaken, including:
KPMG’s teams are committed to helping you understand, prioritize and manage your cyber security risks. We continue to assess the impact of Petrwrap ransomware and will keep you apprised on any critical developments.
Should you need any additional information or support, please reach out to the contacts below directly.