Just got an info regarding a new ransomware virus hitting several companies as we speak. Currently known was a Ukranian power company, Kiev’s main airport, Chernobly nuclear power plant, an Antonov aircarft, a shipping company Maersk based in Copenhagen, food makers of Oreo and Tobleron – Modelez, similar to Maersk based in Netherlands – TNT was also hit, a US hospital operator – Heritage Valley Health System, a law firm DLA Piper and the St. Gobain – a construction company was also hit. Affected systems are growing as we speak and the PETYA’s creator could have been motivated by a South Korean hosting company who paid their attackers a $1M ransom money just several days ago.
What have been known so far is that PETYA is exploiting a weakness of the SMBv1 described in MS17-010 and the way Microsoft Office handles RTF documents as explained in CVE-2017-0199 on Windows systems. Applying the patch MS17-010 should be a top priority if you haven’t done it yet and monitoring or blocking port 445 as a precaution. Also you may want to keep an eye on this page – VirusTotal that contains the list of AV softwares that is currently detecting the PETYA ransomware. If not, enable your AV’s heuristic feature to detect any intrusion detected. I’ve seen COMODO isn’t currently detecting the malware so I enabled the HIPS (Host Intrusion Protection System) to “Safe Mode” just to be safe.
There’s another way of getting immune to this attack. As explained from my source, it is as simple as creating a folder “perfc” and placing it in the “C:\Windows” folder and set it attributes to “Read-Only”. A video was also uploaded on Youtube by Colin Hardy discussing PETYA’s behavior.