Petya-like Ransomware Explained & Recommended Actions

A ransomware attack that appears to be using a strain from the Petya family surfaced in Eastern Europe and has quickly gone global. Incident detection and response professionals around the world immediately started connecting this Petya-like ransomware with the same EternalBlue exploits used by the WannaCry ransomware. 

[BLOG] The attack is evolving quickly. For everything we know so far, check out our blog post, "Petya-like Ransomware Explained."

This page will be updated as we learn more about the ransomware, as well as what Rapid7 customers can do to prevent, detect, and respond to it. In the meantime, organizations are strongly advised to take the following actions:

  • Ensure that all Windows systems have been patched against MS17-010 vulnerabilities (learn more in this blog post).
  • Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems.
  • Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. 

For those already hit by this ransomware, our best guidance right now is to work with law enforcement and incident response experts. Our own incident responders are available 24/7 on the hotline: +1-844-RAPID-IR.

Need immediate assistance?

Call our incident response team at 1-844-RAPID-IR.

Contact us

Ransomware Resources

[BLOG] Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010
Follow these steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing MS17-010 vulnerabilities.

Preventing and Detecting Ransomware Attacks 
Ransomware is malicious software which covertly encrypts your files – preventing you from accessing them – then demands payment for their safe recovery. Like most tactics employed in cyberattacks, ransomware attacks can occur after clicking on a phishing link or visiting a compromised website.

Whiteboard Wednesday: Server Ransomware
Watch this week’s Whiteboard Wednesday to learn more about how attackers are using open MongoDB, CouchDB, and Elasticsearch servers, and then check out Bob’s blog post for more on “The Ransomware Chronicles: A DevOps Survival Guide.

Find vulnerabilities with InsightVM




    Sorry your request cannot be completed at this time. Please reach out to sales at +1-866-7RAPID7 or at