This second major corporate ransomware attack is not quite as large as the original attack in May, as many firms have patched.  But the ransomware agent is much more sophisticated as researchers continue to evaluate these attacks in Europe

http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD

https://isc.sans.edu/diary/Checking+out+the+new+Petya+variant/22562

https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

This is a follow-up from our previous diary about today’s ransomware attacks using the new Petya variant:

* Several hundred more tweets about today’s attack can be found on Twitter using #petya.
* The new Petya variant appears to be using the MS17-010 Eternal Blue exploit to propagate.
* Others claim the new variant uses WMIC to propagate
* Still no official word on the initial infection vector in today’s attacks.
* People everywhere are saying today’s activity is similar to last month’s WannaCry ransomware attack

The main culprit behind this attack is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Because of this, Petya is more dangerous and intrusive compared to other strains because it reboots systems and prevents them from working altogether.

Petya appears to be spread via email spam in the form of boobytrapped Office documents. These documents use the CVE-2017-0199 Office RTF vulnerability to download and run the Petya installer, which then executes the SMB worm and spreads to new computers on the same network. Second, there’s the train of thought that Petya is spreading via a malicious update of the MEDOC accounting software, very popular in Ukraine