Sophos is aware of a new ransomware variant being seen in multiple countries today. Our investigation shows that this attack both encrypts files and the Master Boot Record (MBR) and can spread rapidly using several techniques, including the "EternalBlue" exploit of a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin. It can also spread by using a variant of the Microsoft PsExec tool in combination with admin credentials from the target computer. Customers using Sophos Endpoint Protection and Server Protection are protected against all known variants of this ransomware. We first issued protection on June 27th at 13:50 UTC and have provided several updates since then to provide further protection against possible future variants. In addition customers using Sophos Intercept X were proactively protected with no data encrypted, from the moment this new ransomware variant appeared. However customers may need to take further steps to reboot an infected computer.
Please ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 - Critical.
To further reduce the risk of the infection spread, Sophos Endpoint customers can ensure that Adware/Potentially Unwanted Applications (PUA) detection is enabled and that the"PsExec" tool is not authorized or excluded.
Sophos customers using Intercept X should ensure they have CryptoGuard and master boot record protection enabled as below.
Sophos Endpoint/Server protection customers should ensure their computers are up to date and following best practices.
Sophos has issued protection against this threat:
Deconstructing Petya: how it spreads and how to fight back
Petya variants behind the global ransomware outbreak: here’s what we know so far
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.