On June 27th, a Ransomware campaign affected organizations in several countries: Russia, Ukraine, India, Spain, France, United Kingdom, among other European countries. This new Petya variation demands $300 in bitcoins for the recovery of the information.

The main attack vector seems to be through phishing campaigns of emails with Word and Excel documents attached. The CVE-2017-0199 vulnerability is then used for the installation of malware infected macros. The malware itself is a “.dll” file which is executed through rundll32.exe. This malware can infect publicly exposed systems, as well as internal systems, by exploiting the CVE-2017-0143 and CVE-2017-0144 (ETERNALBLUE) vulnerabilities. After its execution, Petya uses the ETERNALBLUE exploits, as well as Windows Management Instrumentation Command-line (WMIC) and PsExec to move around laterally and affect internal systems.

This variant seems to operate differently when compared to other Ransomwares, since it does not encrypt the files of the affected systems but the Master Boot Record (MBR), thus restricting the access to the system and the files. The MBR is replaced by the malware’s own code which prevents the computer from starting and displays an information recovery message on the screen. Apparently, the encryption phase only starts after the reboot.  


  • Disable WMIC and SMBv1 protocol
  • Apply security patches: MS17-010 and CVE-2017-0199
  • Filter ports 445 and 139 for all untrusted networks.
  • Update the anti-virus software and apply signatures to your network protection systems.

Links that provide relevant information in relation to the recent occurrence:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0199 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx





https://twitter.com/PayloadSecurity/status/879701663040319493 https://www.infosecurity-magazine.com/news/ukraine-businesses-petya-ransomware/


In case you have encrypted data, regularly visit www.nomoreransom.org so you can check the latest tools and solutions available for data recovery.  

Paulo Rosa

Security & Public Safety Business Unit Manager

Related articles

ROBOT Attack

ROBOT Attack

On 12 December 2017, a research paper entitled “Return of Bleichenbacher’s Oracle Threat” (ROBOT) was made publicly...



Over the last few days, Warpcom has been receiving several requests for information and recommendations on the recent...





Warp InfoNew

Get all the Warpcom content!

Related articles