29. June 2017

G DATA publishes the latest results of the Petna ransomware infection wave

An encryption Trojan is specifically targeting businesses and once again exploiting vulnerabilities developed by US intelligence agency NSA.

The massive infection wave unleashed by the Petna ransomware, some of whose basic functions are very similar to the Petya ransomware, has claimed victims worldwide – some large companies are among theose affected by it. The G DATA analysts suspect a targeted attack on companies. The ransomware was initially spread through the update servers of a widely used accounting software in Eastern Europe. After the ransomware has entered a company environment, Petna spreads across the network by using an exploit called Eternalblue, which was developed from NSA and which was already used by WannaCry. Administrator credentials are stolen and used to spread the malware further. The ransomware encrypts the entire file system and compromises the master boot record (MBR) of the system hard drive. Unlike WannaCry, the current version does not have a kill switch. G DATA security solutions protect against the current variant of the ransomware.

"The current wave of infection is very likely targeted at companies," explains Tim Berghoff, G DATA Security Evangelist. "According to what we know right now, a compromised update for an accounting software which is widely used in Eastern Europe is responsible for spreading the Petna ransomware. This means that it has hit a number of major companies that either operate in or have have business relations with the region."

Criminals once again using NSA tools

WannaCry had already confirmed fears that criminals would use tools from the arsenal of a secret service for criminal purposes. The "Eternalblue" exploit is part of a collection of tools developed by the NSA and was leaked to the public in April by the hacking group "Shadow Brokers". "Eternalblue" exploits vulnerabilities in the Server Message Block (SMB) of the Windows operating systems, which were already closed by Microsoft in March 2017.


The analysis of the G DATA security experts continues and the latest results are constantly posted on the G DATA Security Blog.