A little over a month after WannaCry ransomware hit computers all over the globe, a new strain of ransomware has been unleashed causing similar levels of damage. The virus has targeted and infected systems of multi-national corporations like Maersk, Rosneft, and Merck.
The virus, a variant of the Petya family of ransomware, uses two different types of attacks: Eternal Blue, a Microsoft software exploit also used by WannaCry, and an additional attack method designed to infect a network through its vulnerabilities and admin tools. If the first method fails, thanks to the patch developed for Eternal Blue after the WannaCry attacks, then the virus will try the second. This second method is what the virus relies on most to spread.
Once a computer is infected, Petya uses Windows Management Instrumentation (WMI) and PsExec, two tools normally used for remote admin access, to infect more computers on the same network. Security researcher Lesley Carhart says it's pretty common for attackers to use these tools to spread malware.
“WMI is a super-effective lateral movement method for hackers. It's frequently allowed and built-in, so rarely logged or blocked by security tools,” said Carhart. “Psexec is a bit more depreciated and more monitored but still very effective.”
According to Talos Intelligence, a Cisco threat intelligence team, the ransomware may have originated from a falsified update to the Ukrainian accounting system, MeDoc. MeDoc has denied the allegations.
|Photo By: Vishnu_Kv / Pixabay|