Minerva Labs Blog

News & Reports

New Petya Ransomware Attack PREVENTED by Minerva Labs

During the last 12 hours, a new ransomware campaign is causing mayhem in what appears to be a one of the most catastrophic and aggressive ransomware attacks ever seen.

The ransomware is related to the Petya\Petwrap family which appeared over a year ago however the new variant is spread not only by conventional phishing emails. Like the WannaCry campaign, it uses the leaked NSA ETERNALBLUE exploit to spread itself within the infected network over the SMB protocol:

Once the machine is infected and the critical hard drive sectors are overridden a scheduled task forcing a reboot will be scheduled in one hour:

As an alternative measure, it can also cause a blue-screen-of-death (BSoD) to force a restart using the undocumented NtRaiseHardError Windows API.

After the machine is rebooted a fake CHKDSK screen appears:

Then comes a ransom note:

However, unlike other ransomware attacks that encrypts all your file data, this ransomware hijacks your entire machine at the operating system level, rendering it unusable to run any programs.

So far,  over 1.8 bitcoins (this is just under $5000 dollars) have already been transferred to the wallet associated with this attack in 18 different transactions…and this amount is likely to rise in the coming days:

Preventing the New Petya Attack

Minerva’s Anti-Evasion platform prevents Petya’s malicious code injection attempt, thwarting the entire attack before any damage is done. Minerva’s technology deceives the malware regarding its ability to interact with other processes and denies its access to memory, credit card data and other sensitive information. This approach is effective against a variety of memory injection techniques and allows you to address the increasing threat of fileless malware.

 

Request a demo to see it in action.

IoC

SHA256

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1

Bitcoin Wallet

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX