During the last 12 hours, a new ransomware campaign is causing mayhem in what appears to be a one of the most catastrophic and aggressive ransomware attacks ever seen.
The ransomware is related to the Petya\Petwrap family which appeared over a year ago however the new variant is spread not only by conventional phishing emails. Like the WannaCry campaign, it uses the leaked NSA ETERNALBLUE exploit to spread itself within the infected network over the SMB protocol:
Once the machine is infected and the critical hard drive sectors are overridden a scheduled task forcing a reboot will be scheduled in one hour:
As an alternative measure, it can also cause a blue-screen-of-death (BSoD) to force a restart using the undocumented NtRaiseHardError Windows API.
After the machine is rebooted a fake CHKDSK screen appears:
Then comes a ransom note:
However, unlike other ransomware attacks that encrypts all your file data, this ransomware hijacks your entire machine at the operating system level, rendering it unusable to run any programs.
So far, over 1.8 bitcoins (this is just under $5000 dollars) have already been transferred to the wallet associated with this attack in 18 different transactions…and this amount is likely to rise in the coming days:
Minerva’s Anti-Evasion platform prevents Petya’s malicious code injection attempt, thwarting the entire attack before any damage is done. Minerva’s technology deceives the malware regarding its ability to interact with other processes and denies its access to memory, credit card data and other sensitive information. This approach is effective against a variety of memory injection techniques and allows you to address the increasing threat of fileless malware.