Following closely on the heels of WannaCry, a new ransomware variant known as Petya began sweeping across the globe, impacting a wide range of industries and organizations including critical infrastructure such as energy, banking, and transportation systems. FortiGuard Labs sees this as much more than a new version of ransomware. Rather it is representative of a new wave of multi-vector ransomware attacks that Fortinet is calling “ransomworm”, which takes advantage of multiple, timely exploits. In doing so, ransomworm is designed to move swiftly across multiple systems on its own, rather than staying in one place or requiring end user action.
And rather than focusing on a single organization, this type of attack uses a broad-brush approach that targets any device it can find with one or more of the target vulnerabilities to exploit. In this case, it appears that the attack can start with the distribution of an Excel document that exploits a known Microsoft Office vulnerability. However, because additional attack vectors were used (such as delivery via Windows Management WMIC), patching alone is inadequate to completely stop this ransomworm, which means that patching needs to be combined with good security tools and practices.