Summary: On June 27, 2017 reports of a ransomware infection began spreading across Europe. The first infections were seen in Ukraine, where more than 12,500 machines encountered the threat. Observations lateron indicated infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.
The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on industry investigations, this new ransomware shares similar codes and is a new variant of Ransom:Win32/Petya. This new strain of ransomware, however, is more sophisticated.
Impact and Products Affected: It is very important to note that Barracuda NextGen Firewalls successfully block this attack:
- IPS: Detection of the used exploit (IPS signature ID 1133713 ) is included since May 18, 2017 with IPS signature database version 6.630 or later.
- Anti-Virus: The Barracuda Malware Protection covers the Petya ransomware variants with signature version 184.108.40.206 (released on June 27, 2017).
- Advanced Threat Protection: The Barracuda Advanced Threat Protection with Sandboxing returns a 100% “maliciousness” score.
We strongly advise all customers to take the following steps:
- Make sure your systems are patched. Microsoft issued Security Bulletin MS17-010 – Critical Security Update for Microsoft Windows SMB Server (4013389) patch on March 14. Any unpatched systems are at risk. Microsoft issued an emergency patch on May 12 (KB4012598) for additional versions of Windows, including XP and Windows 2003.
- Make sure that the Barracuda NextGen Firewall Anti-Virus and IPS inspection engines are enabled in order to prevent the ransomware from being downloaded.