Petya: What you need to know

27 Jun 2017

Context has become aware of a new self-propagating variant of the “Petya” ransomware which spreads using the EternalBlue SMB exploit made famous by WannaCry.

Like WannaCry, this malware variant contains an embedded payload which is automatically extracted by Context’s malware configuration and payload extraction system, CAPE. 

We have added a signature to CAPE to allow detection of the extracted payload, which can be seen in the following CAPE analysis: https://cape.contextis.com/analysis/1548

Our advice with this malware variant is the same as that for the earlier WannaCry outbreak. Read our blog post here: WannaCry: What you need to know

In addition to its ability to spread as a network worm, we believe the initial infection vector to be via email. So the usual advice with regard to caution opening email attachments or links applies here. In addition, please upload attachments you may be suspicious of to our public CAPE instance: https://cape.contextis.com/submit, and keep an eye on further submissions for any other variants that we come across.

If you are interested in having your own instance of CAPE to help in the fight against malware, you may find it on Context’s github at https://github.com/ctxis/CAPE 

Keep an eye on our blog as we'll update it with more information in coming days.

CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor