14 DAY TRIAL // A new ransomware attack brought down computers at a large number of companies and organizations across Europe after it infected systems and required owners to pay $300 in Bitcoin to receive the decryption key.
In an in-depth analysis of the infection, Microsoft explains that the new ransomware is a form of the already-known Petya with worm capabilities, emphasizing that up-to-date Windows systems are fully secure.
Microsoft says that the modern variant of Ransom:Win32/Petya was first spotted in the software update process of MEDoc, a tax accounting software solution developed by a Ukrainian firm called M.E.Doc. Attackers managed to deliver the ransomware through the update process, and this explains why so many computers in Ukraine were affected, including those at hospitals, airports, and even at the Chernobyl plant.
The EzVit.exe process was detected executing a malicious command-line on Tuesday, June 27 around 10:30 a.m. GMT, Microsoft reveals. Once it reached a system, the ransomware attempted to compromise the other computers in the network.
Windows users fully protected
Microsoft goes on to say that Windows users are fully protected with one condition: to run a fully up-to-date copy of the operating system with the latest virus definitions for Windows Defender.
The ransomware can also spread using the SMB vulnerability (codenamed EternalBlue) which was used by WannaCrypt, as well as a second exploit known as EternalRomance. Both were patched by Microsoft with security update MS17-010 in March, so this is the first update to install to remain protected.
Windows users are obviously recommended to update their systems as soon as possible, but also the security products running on their computers. Windows Defender detects the new form of ransomware as Ransom:Win32/Petya and you need to be running version 1.247.197.0 in order for the antivirus to block the threat.
On computers where deploying the latest patches is not possible just yet, users are recommended to disable SMBv1 and to add a rule on the router or firewall to block incoming SMB traffic on port 445.
“As the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and apply definition updates,” Microsoft explains.
No other emergency updates have been published this time given that Windows computers are secure against Petya.