Multiple Petya Ransomware Infections

Summary

Systems Affected: Microsoft Windows operating systems.

Per Alert (ICS-ALERT-17-181-01C) Petya Malware Variant (Update C)

ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware.

Cybersecurity researchers have been aware of the Petya malware since 2016 and have recently identified a new enhanced variant with several different names, including “NotPetya,” “Petrwrap,” “GoldenEye,” and “Nyetya.” Current reporting suggests that the initial infection vector for the Petya variant may be the result of a supply chain attack against accounting software MEDoc.

The Petya variant is a self-propagating worm that can laterally move through an infected network by harvesting credentials and active sessions on the network, exploiting previously identified SMB vulnerabilities, and using legitimate tools such as the Windows Management Instrumentation Command-line (WMIC) tool and the PsExec network management tool. After initial infection, the affected system scans the local network for additional systems to infect via Port 139/TCP and 445/TCP, prior to encrypting files and overwriting the Master Boot Record (MBR) or wiping sectors of the disk drive. There are several reports that suggest that the Petya variant’s creators intend it to be destructive in nature, rather than a traditional, economically motivated ransomware. Regardless, the U.S. Government does not encourage paying a ransom to criminal actors.

Unaffected Quantum Products

The following Quantum products are known to be unaffected by the Multiple Petya Ransomware Infections:

Vulnerable Quantum Products

Versions of the following Quantum products are known to be vulnerable to Multiple Petya Ransomware Infections:

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including:

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Recommended Steps to minimize the risk associated with the Petya malware:

Recommended Best Practices

References

Contact Information

In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 324 185. You will need your system serial number. For additional contact information, go to http://www.quantum.com/serviceandsupport/get-help/index.aspx#contact-support