Context has become aware of a new self-propagating variant of the “Petya” ransomware which spreads using the EternalBlue SMB exploit made famous by WannaCry.
Like WannaCry, this malware variant contains an embedded payload which is automatically extracted by Context’s malware configuration and payload extraction system, CAPE.
We have added a signature to CAPE to allow detection of the extracted payload, which can be seen in the following CAPE analysis: https://cape.contextis.com/analysis/1548
Our advice with this malware variant is the same as that for the earlier WannaCry outbreak. Read our blog post here: WannaCry: What you need to know
In addition to its ability to spread as a network worm, we believe the initial infection vector to be via email. So the usual advice with regard to caution opening email attachments or links applies here. In addition, please upload attachments you may be suspicious of to our public CAPE instance: https://cape.contextis.com/submit, and keep an eye on further submissions for any other variants that we come across.
If you are interested in having your own instance of CAPE to help in the fight against malware, you may find it on Context’s github at https://github.com/ctxis/CAPE
Keep an eye on our blog as we'll update it with more information in coming days.