There are reports of a variant of the Petya malware affecting several countries so ICS-CERT is releasing an alert to increase awareness of critical infrastructure owners and operators about the variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware.
Cybersecurity researchers have been aware of the Petya malware since 2016 and have identified a new enhanced variant with several different names, including “NotPetya,” “Petrwrap,” “GoldenEye,” and “Nyetya,” according to a report with ICS-CERT.
Current reporting suggests the initial infection vector for the Petya variant may be the result of a supply chain attack against accounting software MEDoc.
The Petya variant is a self-propagating worm that can laterally move through an infected network by harvesting credentials and active sessions on the network, exploiting previously identified SMB vulnerabilities, and using legitimate tools such as the Windows Management Instrumentation Command-line (WMIC) tool and the PsExec network management tool, the report said.
After initial infection, the affected system scans the local network for additional systems to infect via Port 139/TCP and 445/TCP, prior to encrypting files and overwriting the Master Boot Record (MBR) or wiping sectors of the disk drive.
There are several reports that suggest the Petya variant’s creators intend it to be destructive in nature, rather than a traditional, economically motivated ransomware. As it is with any ransomware, victims should not pay.
The following product vendors have proactively issued notifications with recommendations for users regarding the Petya ransomware, according to ICS-CERT, which will continue to update the list:
• Becton, Dickinson and Company (BD)
• Emerson Automation Solutions
Delta V and AMS
• Rockwell Automation
• Johnson & Johnson
• Schneider Electric
• Beckman Coulter
• Smiths Medical