Cape Town, 28 Jun 2017
Today (CEST), ESET researchers have begun investigating another massive global ransomware epidemic following the WannaCry and XData/AES-NI outbreaks.
The ransomware appears to be a version of Petya. If it successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.
For spreading, it appears to be using a combination of the SMB exploit (EternalBlue) used by WannaCry for getting inside the network and then spreading through PsExec for spreading within the network. This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and, hopefully, most vulnerabilities have been patched. It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.
Outbreak appears to have started in Ukraine - Patient Zero
The outbreak appears to have started in Ukraine, where reports indicate the financial sector, energy sector and numerous other industries have been hit. The scope of the damage caused to the energy sector is not yet confirmed, and there have been no reports of a power outage - as was the case previously with the infamous Industroyer malware."
ESET has published a blog on WeLiveSecurity.com where additional information about this attack can be found.
Update from ESET since the above statement:
ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions.
Several of them executed a Trojanised update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today, which spread across the whole country and to the whole world. M.E.Doc has today released a warning on its Web site: http://www.me-doc.com.ua/vnimaniyu-polzovateley
Share