SANS ISC: SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Sent from a reader earlier today:

• Hearing some rumors that the company Merck is having a major virus outbreak with something new and their Europe networks are affected more than their US offices.  Have you heard anything on this?

A quick check reveals that, apparently, another global ransomware attack is making the rounds today.

• Forbes: Another Massive Ransomware Outbreak Is Going Global Fast (2017-06-27 14:44 UTC)
• International Business Times: It's happening again: Huge ransomware attack on computer systems 'spreading worldwide' (updated 2017-06-27 14:23 UTC)
• The Verge: A new ransomware attack is devastating airlines, banks, and utilities across Europe (2017-06-27 14:01 UTC)

Initial reports indicate this is much like last month's WannaCry attack.  According to the Verge article, today's ransomware appears to be a new Petya variant called Petyawrap.  At this point, we see plenty of speculation on how the ransomware is spreading (everything from email to an EternalBlue-style SMB exploit), but nothing has been confirmed yet for the initial infection vector.

Alleged samples of this ransomware include the following SHA256 hashes:

• 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
• 8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58

AlienVault Open Threat Exchange (OTX) is currently tracking this threat at:

• https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/

We'll provide more information as it becomes available.