A modification of Petya ransomware is hitting a number of companies in Ukraine

Further to reports of a massive cyber attack hitting a number of companies in Ukraine, including banks, energy companies and transport services as well as the government, we believe this is another example of the Petya-based ransomware, which was first identified in 2016. A few months ago, we spotted Petya ransomware patched and bundled in a different malware strain called PetrWrap. The attack appears to be spreading with incidents being reported in Russia, India, France, Spain and also the Netherlands, and those behind the attack demanding a $300 ransom to be paid in the cryptocurrency, Bitcoin.

This modification of Petya seems to be spreading using the EternalBlue vulnerability, which was the same vulnerability used to spread WannaCry. We have seen 12,000 attempts today by malware to exploit EternalBlue, which we detected and blocked. Data from Avast’s Wi-Fi Inspector, which scans networks and can detect if an Avast PC or another PC connected to the same network is running with the EternalBlue vulnerability, shows that 38 million PCs that were scanned last week have not patched their systems and are thus vulnerable. The actual number of vulnerable PCs is probably much higher

We strongly recommend Windows users, regardless if consumer or business users to update their systems with any available patches as soon as possible, and ensure their antivirus software is also up to date.

While we don’t know who is behind this specific cyber attack, we know that one of the perfidious characteristics of Petya ransomware is that its creators offer it on the darknet with an affiliate model which gives distributors a share of up to 85% of the paid ransom amount, while 15% is kept by the malware authors. The malware authors provide the whole infrastructure, C&C servers, and money transfer method. This type of model is called “ransomware  as a service (RaaS)”, which allows malware authors to win over non-tech savvy customers to distribute their ransomware.