On 27 June 2017, another virulent ransomware variant began to rapidly infect computers across the globe. Petya 2.0 (also called NotPetya by some researchers) is primarily distributed using a fake order confirmation attachment on a phishing email. After it infects the initial victim, Petya 2.0 moves laterally through the victim’s network by exploiting the same EternalBlue (MS17-010) vulnerability as the WannaCry ransomware variant, as well as by leveraging PsExec and WMIC.
Petya 2.0 works differently than traditional ransomware by encrypting the Master Boot Record (MBR) on the victim’s computer, instead of individual files. By encrypting the MBR, the victim is locked out of their operating system and files completely.
After initial infection, Petya 2.0 schedules a system reboot. Petya 2.0 then hijacks the boot process to encrypt the MBR instead of loading the victim’s operating system. Multiple security researchers report that immediately powering off an affected computer prior to the completion of the encryption process may save the MBR and allow an opportunity to back up files to a different computer before booting the affected system again.
Additionally, researchers have discovered a potential kill switch within Petya 2.0 that may prevent the infection from executing. During Petya 2.0’s execution, it checks for the existence of a file “C:\Windows\perfc”. If the file exists, execution is halted. Manually creating a file at that location may prevent Petya 2.0 from executing.
As of this writing, Pasteo, the email hosting provider used by the attacker for decryption key distribution, has locked the email account used in the Petya 2.0 ransom note. This means that, even if the ransom is paid, there is no way for the attacker to provide the decryption key to the victim.
For WatchGuard customers, APT Blocker detects and blocks Petya 2.0 immediately. IPS contains signatures to detect and stop the exploitation of MS17-010 (also known as EternalBlue). As of approximately 2pm US PDT (UTC-7), Gateway AV detects Petya 2.0. Threat Detection and Response (TDR) does detect the ransomware executable and quarantines the file prior to execution if an auto remediation policy is enabled. TDR does not currently prevent the ransomware from executing because it encrypts the MBR during the system book, not individual files during normal system use.
IT administrators should install the latest Windows security updates to resolve the MS17-010 vulnerability. Additionally, WatchGuard customers should enable APT Blocker and IPS to stop the ransomware at their network perimeter.
No workaround is needed for: