ESET Customer Advisory 2017-0012
June 27, 2017
This advisory is to warn users of the new threat Diskcoder.C. This ransomware appears to be a version of Petya. If it successfully infects the main boot record (MBR) of a computer, it will encrypt the entire drive on which that MBR is located. When the infection does not affect an MBR, it will still encrypt all files similar to the Mischa malware.
This infection spreads using a combination of the SMB exploit (EternalBlue) used by WannaCryptor to gain network access, it then spreads across the network using PsExec. ESET products with network detection block EternalBlue, and ESET provides free instructions to check your system for the EternalBlue and update Windows to mitigate this this exploit.
This dangerous combination is one possible reason this outbreak has spread globally so rapidly, even after the previous outbreaks have generated media headlines and encouraged users to patch their systems. An infection like this can compromise an entire network if a single machine is left unpatched by gaining administrative rights that allow it to spread to other machines.
ESET researchers have located the origin of this global epidemic. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions.
A trojanized update of M.E.Doc allowed attackers to launch the massive ransomware campaign that spread across Ukraine and then to targets in other nations.