PetyaWrap Vulnerability – June 27th, 2017 – 12:40 PT

PetyaWrap Vulnerability

PetyaWrap, a variant of Petya, is the latest worldwide ransomware that has affected Europe significantly, including large corporations such as Merck and Maersk.  The vulnerability can spread using the same Windows SMBv1 vulnerability as the recent WannaCry attack.  There are no additional patches beyond those that were already released for WannaCry.

The ransomware reboots the computer, encrypts the MFT (Master File Table), overwrites the MBR (Master Boot Record) and then displays a ransom note and prevents the computers from booting.

Severity

  • Critical

CVE

  • MS17-010
  • CVE-2017-0143
  • CVE-2017-0144
  • CVE-2017-0145
  • CVE-2017-0146
  • CVE-2017-0147
  • CVE-2017-0148

Impacted Operating Systems

  • Windows Vista Service Pack 2 (4012598)
  • Windows Vista x64 Edition Service Pack 2 (4012598)
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (4012598)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (4012598)
  • Windows Server 2008 for Itanium-based Systems Service Pack 2 (4012598)
  • Windows 7 for 32-bit Systems Service Pack 1 (4012212) Security Only[1]
  • Windows 7 for 32-bit Systems Service Pack 1 (4012215) Monthly Rollup[1]
  • Windows 7 for x64-based Systems Service Pack 1 (4012212) Security Only[1]
  • Windows 7 for x64-based Systems Service Pack 1 (4012215) Monthly Rollup[1]
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (4012212) Security Only[1]
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • (4012212) Security Only[1]
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • (4012212) Security Only[1]
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • (4012215) Monthly Rollup[1]
  • Windows 8.1 for 32-bit Systems (4012213) Security Only[1]
  • Windows 8.1 for 32-bit Systems (4012216) Monthly Rollup[1]
  • Windows 8.1 for x64-based Systems (4012216) Monthly Rollup[1]
  • Windows Server 2012 (4012214) Security Only[1]
  • Windows Server 2012 (4012217) Monthly Rollup[1]
  • Windows Server 2012 R2 (4012213) Security Only[1]
  • Windows Server 2012 R2 (4012216) Monthly Rollup[1]
  • Windows RT 8.1[2] (4012216) Monthly Rollup
  • Windows 10 for 32-bit Systems [3] (4012606)
  • Windows 10 for x64-based Systems [3] (4012606)
  • Windows 10 Version 1511 for 32-bit Systems [3] (4013198)
  • Windows 10 Version 1511 for x64-based Systems [3] (4013198)
  • Windows 10 Version 1607 for 32-bit Systems [3] (4013429)
  • Windows 10 Version 1607 for x64-based Systems [3] (4013429)
  • Windows Server 2016 for x64-based Systems [3] (4013429)
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (4012598)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (4012598)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • (4012212) Security Only[1]
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • (4012215) Monthly Rollup[1]
  • Windows Server 2012 (Server Core installation) (4012214) Security Only[1]
  • Windows Server 2012 (Server Core installation) (4012217) Monthly Rollup[1]
  • Windows Server 2012 R2 (Server Core installation) (4012213) Security Only[1]
  • Windows Server 2012 R2 (Server Core installation) (4012216) Monthly Rollup[1]
  • Windows Server 2016 for x64-based Systems [3](Server Core installation) (4013429)

Recommended Actions

  • Please apply the latest security updates and patches immediately for MS17-010.
  • Sophos is able to identify the vulnerability with an analyzed version; however, there could be a number of existing variants.

More Information

https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx