Petya Ransomware Outbreak: What you need to know

Our SentinelOne research team is actively monitoring the Petya/NotPetya ransomware outbreak and we will update this blog post as more technical information about this attack is discovered. SentinelOne is proactively protecting customers against this latest strain. All SentinelOne customers using SentinelOne Enterprise Protection Platform are proactively protected against this outbreak.* Customers should also ensure that all machines have installed the latest Windows updates.
As with all cyber attacks that spread as quickly as what we have seen today, there is always much speculation in the initial phases of the attack as researchers quickly come up to speed on the technical nuance of what the attack is and how it is spreading.

What we know right now:

  • We have found that the outbreak is using the EternalBlue exploit to spread laterally.
  • We have also confirmed that it spreads through SMB using the psexec tool.
  • This attack does appear to be using a similar method of collecting Bitcoin ransom that WannaCry had used, using only a small number of wallet address. The ransom demand is ~$300 USD.
  • The email address used in the ransom request has since been shut down. This means that anyone that chooses to pay the ransom, may have difficulty retrieving their decryption key.
  • Unlike WannaCry, we have yet to see if this outbreak has a kill switch, though we have found that once executed, it overwrites the Master Boot Record and is then allowed to spread for an hour before forcing the machine to reboot.
  • In addition, this outbreak has similar characteristics as Petya, such as infecting the MBR and encrypting files on the drive;** however, it is not clear yet that this is a Petya variant. Some reports are indicating that this is an entirely new form of ransomware, hence NotPetya.

Please stay tuned for more information as it becomes available.