Several high-profile organizations are already affected by a ransomware attack which began to spread in Europe on June 27. Tanium’s EDR and TAM teams are monitoring the situation closely. Here’s what we know so far.
(Image: Geralt / Pixabay)
A ransomware attack which began to spread in Europe on June 27 is showing potential to have a broader impact worldwide, with several high-profile organizations already infected. Some reports are tying this to a new variant of the “Petya” (or “Petrwrap”) malware, which was used in prior campaigns earlier this year. Others are saying it’s a completely new variant never seen before. The malware uses delivery and propagation methods which exploit recently patched vulnerabilities.
Please note: The findings and recommendations we’re sharing below are derived from community research shared on public and private forums. Aspects of this campaign still are not yet fully understood, and the situation may continue to evolve.
Based on early analysis of a few publicly available samples, the window of opportunity for response is extremely short. The malware automatically reboots systems after completing its encryption and propagation routines. Early research indicates this occurs within an hour post-infection.
Analysis of publicly available samples indicate the malware may use PsExec in conjunction with the native WMI Command-Line tool, ‘wmic’ to execute the malware on remote systems. Post-infection, the malware may use ‘schtasks’ to create a local task, which reboots the system within an hour (rendering it inoperable).
(Editor’s note: This article was updated at 4:30 pm PT to reflect new information about the initial infection phase.)
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.
About the author: In his role as Tanium’s Chief Security Architect, Ryan Kazanciyan brings more than 14 years of experience in incident response, forensic analysis, and penetration testing. Ryan oversees the design and roadmap for Tanium’s Threat Response offerings, and leads the Tanium Endpoint Detection and Response (EDR) team. Prior to joining Tanium, Ryan oversaw investigation and remediation efforts at Mandiant, partnering with dozens of Fortune 500 organizations affected by targeted attacks. Ryan has trained hundreds of incident responders as an instructor for Black Hat and the FBI’s cyber squad. He is a contributing author for “Incident Response and Computer Forensics 3rd Edition” (McGraw-Hill, 2014). Ryan also works as a technical consultant for the television series “Mr. Robot”, where he collaborates with the writers and production team to design the hacks depicted in the show.