In the past few hours, multiple reports were published about a mass-scale cyber-attack taking place in Ukraine. The attack hit multiple government resources, as well as corporate, financial and critical infrastructure systems (Kyiv subway and airport, electricity and oil companies, etc).
Attacks on European targets were reported as well, including in Spain and France.
The majority of the initial reports pointed to a variant of the already known (since 2016) Petya ransomware (detected as Petya.A).
It was recommended to close the following TCP ports: 1024-1035, 135 and 445 (according to a Russian security company).
The distribution method is still unknown, however reports of Payload security claim the SMB EternalBlue exploit is involved.
There were also reports regarding spreading via social engineering (malicious email messages).
Other distribution methods are possible as well.
The affected file types appear in the figure below:
Update June 27, 2017 – 20:10 CET
Update June 27, 2017 – 20:17 CET
Recommendations based on already known details of the attack:
· DO NOT PAY THE RANSOM. The files will not be decrypted as the email account is no longer existing.
· DO NOT RESTART INFECTED MACHINES, since the Petya malware damages the MBR section of the booting process. Instead, disconnect them from the internet and use the hibernate option.
· Disable SMBv1
· Update Anti-Virus hashes from the attached IOCs file
o myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
o BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
· Block source E-mail address: wowsmith123456@posteo[.]net
· Block IPs:
· Block domains:
More indicators can be found in this ongoing GitHub thread.
Update June 28, 2017 – 7:24 CET:
According to WolfStreet, these are among the companies that reported having been hit:
Russian steelmaker Evraz
The International Airport in Kiev, Ukraine
Ukraine’s state power producer, a media company, and other firms
Deutsche Post’s Ukrainian operations of Express
Metro’s wholesale stores in Ukraine
TNT Express, the Netherlands-based shipping company (a division of FedEx)
UK-based WPP, the world’s largest advertising agency
Heritage Valley Health System, USA
Merck & Co, US pharmaceutical company
French construction materials company Saint Gobain
Royal Canin pet food division of US-based Mars Inc.
US snack company Mondelez International
India-based operations of German personal-care company Beiersdorf
India-based operations of UK consumers goods company Reckitt Benckiser
An unnamed international company in Norway
SenseCy expert analysts are keeping close communications with our customers globally and will continue to monitor the developments on this issue. At this stage, many details are still unclear. We strive to bring concrete intelligence to our customers in near-real-time but at the same time, are still very carefully analyzing massive amounts of information on this issue to filter out a large amount of disinformation.
Updates will follow here on the SenseCy Blog as well.