Enter Peyta (aka Petya or Petrwrap), the new ransomware variant that is spreading. She has many similarities to Wannacry. They both use an NSA exploit known as EternalBlue that targets a SMB vulnerability (CVE-2017-0144), for which Microsoft released a patch in March. Unfortunately, Petya has a few more tricks up her sleeve.
Cyber-criminals have learned from the weaknesses in Wannacry. When the machine reboots it shows a fake "CheckDisk Repairing file system" message. This is the encryption process, so power off immediately. But Peyta doesn't solely rely on one vulnerability, so even if you have applied the Microsoft security update above, you can still get hit. She also spreads in networks using PSEXEC and WMIC.
Since her initial attack, a "kill switch" has been found thanks to @PTsecurity: create file "C:\Windows\perfc". This is a mechanism that virus authors build in to centrally disable the distribution mechanism.
As always: don't pay the ransom money. The ransomware authors’ e-mail account is already blocked, so you will not get a decryption key. A few easy things you can do:
Need additional help avoiding Peyta? Make an appointment with our security expert: firstname.lastname@example.org.
Your email address will not be published. Required fields are marked.