A massive attack erupted today (June 27) worldwide, with a high concentration of hits in Ukraine – including the Ukrainian central bank, government offices and private companies.
While the malware used is yet undetermined, some researchers are speculating it to be a variant of Petya, a ransomware that encrypts the entire hard-drive rather than each file individually. Check Point analysis also shows involvement of Loki Bot for credential theft. Our analysis shows that the ransomware spreads laterally, exploiting SMB vulnerabilities.
Check Point is closely following the attack and we will keep this thread updated with any new facts as well as the following blog post: Global Ransomware Attack is Spreading Fast | Check Point Blog
Feel free to share any facts/observations in the discussion below.
Check Point customers using the following are protected:
- Check Point SandBlast, SandBlast Agent and Anti-Bot protects against Petya ransomware and Loki Bot
- Check Point IPS protects against the relevant SMB vulnerabilities
From the research lab:
- Infection chain for the Loki-Bot malware is : RTF file downloads corrupted xls which contains malicious js script, which in turn pulls an executable from another drop zone. The executable is Loki Bot.
- The Petya ransomware exploits an SMB vulnerability for lateral movement, which is a bit different from the exploit used in WannaCry. We will update with the specifics.