AnsweredAssumed Answered

WannaCry and Petya Variants

Question asked by Zeek Muratovic on Jul 3, 2017

There have been a few emails sent to me from clients asking how to approach detection and remediation for WannaCry and Petya. Since both of these are essentially both act ransomware a little differently there is a common fix for both.

 

I hope the difference described between these two here will save some time in remediation efforts and tracking.

Since SMB is the common Vulnerability between both, patching efforts and priorities should be focused on that. 

 

Operating System: 

Windows OS

 

Vulnerability & Exploit:

Vulnerability in Server Message Block (SMB) and EternalBlue as exploit. 

 

Malware Execution:

WannaCry has to connect live to a c&c where Petya executes offline. '

 

Lateral Movement:

Wannacry - via SMB Wormholes

Petya - via SMB Wormholes via credential theft via psexec & wmic services. 

 

Intent:

Assymetric RSA-2048 encryption of data.

 

Impact:

WannaCry: Data is held for ransom

Petya: Portrayed as ransomware but the data is being destroyed.

 

 

Outcomes