|“Petya” Ransomware: What we know now|
LAST UPDATED 3:10 p.m. PDT:
A massive new ransomware attack that started in Ukraine is spreading across Europe and the United States, according to Reuters and multiple other sources. Prominent companies that have been affected are the Danish shipping company Maersk and the British advertising company WPP.
The ransomware appears to be related to the Petya family, which is currently detected by ESET as Win32/Diskcoder.C Trojan.
ESET users can find instructions to ensure the highest level of protection against this threat here. In addition, here is an advisory for ESET customers about the new malware. ESET protects against this threat, provided you have a default install of any modern ESET product. Additionally, any ESET product with network detection protects against the SMB spreading mechanism, EternalBlue, proactively.
How does Petya work?
The Petya malware attacks a computer’s MBR (master boot record), a key part of the startup system that contains information about the hard disk partitions and helps load the operating system. If the malware successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.
To check if your Windows operating system is patched against it, use ESET's free EternalBlue Vulnerability Checker.
Petya and crypto-ransomware
In Ukraine, the financial sector, energy sector and numerous other industries have been hit. The scope of the damage caused to the energy sector is not yet confirmed, and there has been no reports of a power outage, as was the case previously with the infamous Industroyer malware that was discovered by ESET.
“If you see this text, then your files are no longer accessible, because they have been encrypted … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment [$300 bitcoins] and purchase the decryption key.”
How to protect yourself