• The grugq: PetyaWrap causing lots of havoc, making little profit

    Posted on June 27, 2017 at 20:56 CDT by Comment in the Forums

    Dan Goodin at Ars Technica has the definitive report on the latest ransomware outbreak:

    A new ransomware attack similar to last month’s self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.

    If you haven’t seen the grugq’s technical analysis, it’s well worth a gander.

    Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline.

    Of course, you have nothing to worry about because you installed MS17-010 last month, right?

    Vess Bontchev nudged me about the spreading mechanisms. At this point, we don’t really know how PetyaWrap spread, but once it infects one machine on a system, the MS17-010 patch doesn’t block it from moving from machine to machine on that same network. I have no idea how it spread so rapidly.

    Microsoft has a security blog on the topic. It lists one of the spreading mechanisms and says that one is blocked by MS17-010 — but there are two other identified mechanisms.

    We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:

    If you want to double down on your protection, you can also block PetyaWrap by creating a read-only file called c:\Windows\perfc. Full instructions on Bleeping Computer.

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.