The FBI has released a NEWSFLASH on the NotPetya Ransomware attack which is still spreading online.
Summary
According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations in the United States, France, India, Russia, Spain, Ukraine, and the United Kingdom. Initial open-source reporting detailed a potential variant of the Petya ransomware was being utilized in the attack and demanded a ransom of $300 US worth of bitcoin.
Technical Details
Open-source reports indicate the new ransomware employs the same EternalBlue exploit used by WannaCry ransomware, allowing it to spread quickly and infect additional systems. Published by the Shadow Brokers in April 2017, the vulnerability targets Windows’ SMB file-sharing system. Microsoft issued a patch for the MS17-010 SMB vulnerability on March 14, 2017. In addition to leveraging the Service Message Block (SMB) vulnerability, the ransomware also uses wmic/PSExec to move between computers on a local network.
A variant of the Petya ransomware was potentially used in the attack, according to open-source reporting. Petya ransomware was first discovered in 2016 and operated atypically from previous known ransomware variants by overwriting the Master Boot Record (MBR)
We are able to bring this FBI Notice to you through our partnership with law enforcement, and because the notice is coded ‘WHITE’: which means we can share the document freely. If you wish to be alerted to other notices, including those coded GREEN and YELLOW , please contact us. The FBI allows us to share WHITE coded notices publically, but both these other two statuses may only be shared, with interested and relevant parties, i.e., we are NOT allowed to post them publicly.