We’re seeing relevant activity on our platform related to the new ransomware attack spreading across Europe and the US. In the past 24 hours, companies from multiple sectors have reported #NotPetya IoCs in the TruSTAR Community. If you’re interested in enrichment data look no further.

 

Timelapse of NotPetya IoCs reported on TruSTAR from March 2016 – Present:

 

 

Here’s what we know:

  • Security researchers believe this is a variant of Petya ransomware but there still isn’t consensus in the research community. What has been confirmed is this ransomware, just like WannaCry, is using the ETERNALBLUE tool which exploits CVE-2017-0144 and was originally revealed in the ShadowBrokers April Wikileaks release.
  • This ransomware has affected a number of large enterprise and government operations across Europe (hospitals, supermarkets, banks) and there are reports of US companies also being impacted.

 

Here’s what we’re seeing on TruSTAR:

  • Petya is not new – the group behind it has essentially repurposed it most likely based on the success of WannaCry. We have reports dating back to late 2016 with Petya infrastructure IoC’s.
  • The group behind Petya has taken a page out of the WannaCry playbook and the TTP’s are strikingly similar.

 

What you can do:

  • Immediately apply security patch MS17-010 and block or monitor incoming traffic on TCP port 445.
  • Log into TruSTAR and search for Petya or NotPetya in the search bar. You can download IoC’s from reports of the latest outbreak, as well as the ones we have been tracking since 2016.
  • We’re collecting more IoC’s and relevant context by the minute. Submit reports and update them regularly to enhance contextual data.
  • Use our anonymous chat to collaborate with others investigating the attack.

 

Don’t hesitate to reach out with questions or concerns to the TS Responder team. Log into TruSTAR now.

Want to learn more about TruSTAR’s IoC Search? Click here.