McAfee Labs provided a good update late yesterday on the nature of the Petya ransomware and how it is “spreading like wildfire” around the globe.
The update includes the distribution of clients that have the greatest number of detections and a diagram that shows the event flow after infection.
McAfee further mentioned that Petya is “more precise” than WannaCry (that tries to infect all IPs on network) and instead tries to detect if the system is a workstation or domain controller.
The attack also generates less network traffic than ransomware predecessors. If it finds a domain controller, the malware will query its DHCP Service to get a list of systems served with IP’s and then attack those systems with Eternal Blue exploit to spread malware to other machines.
Another reminder to patch your Windows PCs if you haven’t already – to include MS17-010 from Microsoft’s March security update to address the SMBv1 vulnerability.