Akamai is aware of and is tracking the malware threat known as "Petya". Petya is ransomware spread using several methods, including PSexec, Windows Management Instrumentation Command-line (WMIC), and the EternalBlue exploit used by the WannaCry family of ransomware. The malware spreads via port 139 and 445; it probes IP addresses on the local subnet for vulnerable systems.
When Petya infects a machine, it encrypts the Master File Table (MFT), rendering the Master Boot Record (MBR) unreadable, and displays a ransom message asking for 300 USD in bitcoins to release the decryption key. This malware currently attacks all Windows systems. It is important to note the contact email address the malware provides has been blocked by the provider. There is no way to communicate with the owners of the malware, so victims should not pay the ransom.
Akamai's platform security department is aware of this threat and is closely monitoring all Akamai assets. Due to the nature of the Akamai platform, the infection vectors used by Petya will not be transmitted through our web acceleration or web security networks to customer networks. The ports used by the malware are dropped at the ingress points. Within customer networks, current Akamai products will not have visibility into the lateral spread or infection methods used by Petya.
Our recommendation is for customers to:
- Verify that systems are fully patched (MS17-010 and CVE 2017-0199 apply to this threat)
- Backup all critical systems
- Disable SMBv1 on all machines. This is the primary methods of infection used by the Petya malware.
- Continue to work with security vendors, local ISACs and other security partners to gather as much information as possible.