Sophos is aware of a new ransomware variant being seen in multiple countries today. Our investigation shows that this attack both encrypts files and the Master Boot Record (MBR) and can spread rapidly using several techniques, including the "EternalBlue" exploit of a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin. It can also spread by using a variant of the Microsoft PsExec tool in combination with admin credentials from the target computer.
Customers using Sophos Endpoint Protection are protected against all known variants of this ransomware. We first issued protection on June 27th at 13:50 UTC and have provided several updates since then to provide further protection against possible future variants.
In addition customers using Sophos Intercept X were proactively protected with no data encrypted, from the moment this new ransomware variant appeared. However customers may need to take further steps to reboot an infected computer.
What to do
Please ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 - Critical.
To further reduce the risk of the infection spread, Sophos Endpoint customers can ensure that Adware/Potentially Unwanted Applications (PUA) detection is enabled and that the"PsExec" tool is not authorized or excluded.
Sophos customers using Intercept X should ensure they have CryptoGuard and master boot record protection enabled as below.
Sophos Endpoint protection customers should ensure their computers are up to date and following best practices.
Sophos has issued protection against this threat:
| Threat Name | Sophos IDE | Protection Availability | |
| Publication Started | Publication Finished | ||
| Mal/Generic-S | LiveProtection | 2017-06-27 13:50 UTC | 2017-06-27 13:50 UTC |
| Troj/Ransom-EOB | rans-eob.ide | 2017-06-27 14:10:00 UTC | 2017-06-27 14:12:58 UTC |
| Troj/Petya-BF | petya-bh.ide | 2017-06-27 15:43 UTC | 2017-06-27 15:46 UTC |
| Troj/Petya-BH | petya-bh.ide | 2017-06-27 15:43 UTC | 2017-06-27 15:46 UTC |
| Troj/Petya-AP | petya-bh.ide | 2017-06-27 15:43 UTC | 2017-06-27 15:46 UTC |
| Troj/Petya-BG | petya-bh.ide | 2017-06-27 15:43 UTC | 2017-06-27 15:46 UTC |
| Troj/Petya-BI | petya-bi.ide | 2017-06-27 18:03 UTC | 2017-06-27 20:08 UTC |
| Troj/Petya-BK | petya-bk.ide | 2017-06-28 22:25 UTC | 2017-06-28 00:28 UTC |
| Troj/Ransom-EOC | miner-cp.ide | 2017-06-28 02:34 UTC | 2017-06-28 04:37 UTC |
| Mal/PetyaWr-A | recam-l.ide | 2017-06-28 08:00 UTC | 2017-06-28 10:03 UTC |
| Troj/Ransom-EOL | recam-l.ide | 2017-06-28 08:00 UTC | 2017-06-28 10:03 UTC |
| Troj/Petya-BL | petya-bl.ide | 2017-06-28 11:59 UTC | 2017-06-28 15:02 UTC |
Related information
Deconstructing Petya: how it spreads and how to fight back
Petya variants behind the global ransomware outbreak: here’s what we know so far
