According to thehackernews.com, Petya (similar to WannaCry) is a ransomware that infected 300,000 systems and servers in 72 hours using a Windows SMBv1 vulnerability. Across Europe and Asia, Petya is demanding $300 worth of bitcoins as ransom per victim.
“SecurView is treating this outbreak as a major security concern and recommends to take proactive steps to fight against this outbreak,” says SecurView’s Support Team.
SecurView’s Support Team also says, “We are monitoring all logs that have been connecting with known malicious IPs, related behavior, and known ransomware hashes which are available via global intel.”

The Method of the Malware:

Petya encrypts files by rebooting an infected victim’s computer and then encrypts the (MFT) or master file table (thehackernews.com). Full Access is restricted to the victim while the Master Boot Record (MBR) is inoperable. As a result, Petya then displays a ransom note on screen, preventing normal boot up.

Risk Assessment:

Petya can infiltrate system through backdoor methods like WannaCry. The ransomware uses SMBv1 Eternalblue exploit on Windows systems that have not been patched (thehackernews.com).
According to malwarebytes.com, the 32bit PE file ransomware typically hides in .ZIP files from a Dropbox link often found in scam e-mails disguised as job applications.

According to thehackernews.com, Petya’s priority this particular version is designed to intentionally damage systems rather than actually collect money from its ransomware victims.  For this new version, victims who gain decryption keys after paying a ransom still will not be able to boot their computers, thus concluding this attack as even more dangerous.

A list of compromised or at-risk:

C&C Centers

▪ android[.]com
▪ angel[.]co
▪ anonhq[.]com
▪ apnews[.]com
▪ backupreview[.]info
▪ beagleboard[.]org
▪ benkow[.]cc
▪ coffeinoffice[.]xyz
▪ french-cooking[.]com
▪ informationsecuritybuzz[.]com
▪ jabber[.]ru
▪ janusqqdo2zx75el[.]onion
▪ mischa5xyix2mrhd[.]onion
▪ mischapuk6hyrn72[.]onion
▪ neowin[.]net
▪ petya3jxfp2f7g3i[.]onion
▪ petya3sen7dyko2n[.]onion
▪ petya-pay-no-ransom[.]herokuapp[.]com
▪ petya-pay-no-ransom-mirror1[.]herokuapp[.]com
▪ posteo[.]net
▪ reverse[.]it
▪ rgho[.]st
▪ safe-data[.]ru
▪ testmyav[.]com
▪ theswedishnumber[.]com
▪ yandex[.]com
▪ ycombinator[.]com

Known CnC IPs:

▪ 111.90.139.247
▪ 185.165.29.78
▪ 64.185.182.237
▪ 84.200.16.242
▪ 95.141.115.108

Known E-mail address:

▪ arslan0708@jabber.ru
▪ cert@cert.be
▪ cryptom27@yandex.com
▪ emergency-response@checkpoint.com
▪ wowsmith123456@posteo.net

For more information, please contact sales@securview.com.