A wormed version of the Petya/GoldenEye ransomware family has been found to be propagating via the SMB exploit patched in MS17-010 (AKA EternalBlue). This is the same vulnerability exploited by Wannacry. There is also some indication that the new ransomware worm may use Windows Management Instrumentation Command-line (WMIC). A number of organizations ranging from radiation monitoring to pharmaceutical to shipping companies to oil companies have said they were victims. It is estimated that more than 1.9 million devices have the Internet-accessible SMB v1 service and are potentially vulnerable if they have not yet patched for MS17-010.
Netskope will detect all known variants of this ransomware worm as Trojan.Ransom.GoldenEye.
Unlike many ransomware families, the encryption algorithm in this version of Petya will encrypt the file and also encrypt the NTFS structures. Some of the known targeted file extensions include:
Indicators of Compromise
Some indicators of compromise (IOC) that we have seen so far include the following
Ransom Payment Information
Netskope recommends the following best practices for enterprises in order to protect from ransomware threats: