Loading…

Petya A / PetrWrap Ransomware detector

ArcSight IBM QRadar Splunk
Register   or Login

Description:
Petya A. is a hybrid type of ransomware activated on June 27th 2017 to mount an attack against several countries at the same time including: Ukraine, Netherlands, Russia, Spain, Poland, France, India and others. As of attack date it was distributed over email with malicious URL and .doc and .xls attachments. Petya used CVE-2017-0199 to launch a VBS dropper and (proof pending) EternalBlue & other SMB vulnerabilities published by Shadow Brokers to spread inside target networks. This dangerous combination encrypted not just individual files but master file table, changed MBR and made a scheduled job to restart infected machine in 1 hour, meanwhile making lateral movement to infect other Windows machines. Mitigation includes timely patching of systems, restoring from backups, blocking network communications by IOCs and automatically killing scheduled tasks to reboot machines via GPO.
Other integrations: