A new ransomware outbreak named “Petya”, similar to the WannaCry malware was seen on June 27, 2017. This malware spread quickly and affected various organizations in Europe and the US. The ransomware was thought to be a variant of Petya family but researchers determined that they are not related and has now been renamed to “NotPetya”.
Petya/NotPetya does not require the EternalBlue SMB vulnerability for exploitation to spread in the systems of a network. One infected host will allow ransomware to spread in any connected systems, provided that the infected system has SMB credentials. So, unlike WannaCry, patching SMB and disabling SMBv1 will not prevent the spread.
Detection of compromise
The LogPoint administrator may search for various indicators of compromise.
1. Check for file integrity. Possible indicators of compromise are hash values listed below:
2. If command-line logging is available, check for various commands listed below