Preventing Petya – stopping the next ransomware attack

 
Check Point’s Incident Response Team has been responding to multiple global infections caused by a new variant of the Petya malware, which first appeared in 2016 and is currently moving laterally within customer networks.  It appears to be using the ‘EternalBlue’ exploit which May’s WannaCry attack also exploited.  It was first signaled by attacks on financial institutions in the Ukraine, but soon started spreading more widely, particularly across Europe, the Americas and Asia. The ransomware is propagating fast across business networks in the same way WannaCry did last month.  However, unlike other ransomware types including WannaCry, Petya does not encrypt files on infected ...

Threat Brief: Petya Ransomware, A Global Attack

 
A worldwide attack erupted on June 27 with a high concentration of hits in Ukraine - including the Ukrainian central bank, government offices and private companies. The attack is distributing what seems to be a variant of Petya, an MBR ransomware. While the source of the attack has yet to be determined, many researchers suggest that M.E.Doc, a Ukrainian accounting software provider, was compromised and its systems abused to distribute the attack via its software update mechanism. M.E.Doc is a popular service in Ukraine, the malware’s top targeted country; in May the company was also suspected of involvement in the distribution of another ransomware, known as XData. So far, ...

WannaCry – New Kill-Switch, New Sinkhole

 
Check Point Threat Intelligence and Research team has just registered a brand new kill-switch domain used by a fresh sample of the WannaCry Ransomware. In the last few hours we witnessed a stunning hit rate of 1 connection per second. Registering the domain activated the kill-switch, and these thousands of to-be victims are safe from the ransomware’s damage. Our research shows that the kill-switch works the same as in earlier versions, and the rest of the code is similar to the older versions. New kill-switch: ...

WannaCry – Paid Time Off?

 
Let us open with a TL;DR – DO NOT pay the ransom demanded by the WannaCry ransomware! Now, let us explain why: As of this writing , the 3 bitcoin accounts associated with the WannaCry ransomware have accumulated more than $33,000 between them. Despite that, not a single case has been reported of anyone receiving their files back. The decryption process itself is problematic, to say the least. Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it. Most ransomware, such as Cerber, generate a unique ID and bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on ...