Petya-like Ransomware Explained & Recommended Actions

A ransomware attack that appears to be using a strain from the Petya family surfaced in Eastern Europe and has quickly gone global. Incident detection and response professionals around the world immediately started connecting this Petya-like ransomware with the same EternalBlue exploits used by the WannaCry ransomware. 

[BLOG] The attack is evolving quickly. For everything we know so far, check out our blog post, "Petya-like Ransomware Explained."

This page will be updated as we learn more about the ransomware, as well as what Rapid7 customers can do to prevent, detect, and respond to it. In the meantime, organizations are strongly advised to take the following actions:

  • Ensure that all Windows systems have been patched against MS17-010 vulnerabilities (learn more in this blog post).
  • Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems.
  • Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. 

For those already hit by this ransomware, our best guidance right now is to work with law enforcement and incident response experts. Our own incident responders are available 24/7 on the hotline: +1-844-RAPID-IR.

Need immediate assistance?

Call our incident response team at 1-844-RAPID-IR.

Contact us

Ransomware Resources

[BLOG] Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010
Follow these steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing MS17-010 vulnerabilities.

Preventing and Detecting Ransomware Attacks 
Ransomware is malicious software which covertly encrypts your files – preventing you from accessing them – then demands payment for their safe recovery. Like most tactics employed in cyberattacks, ransomware attacks can occur after clicking on a phishing link or visiting a compromised website.

[PODCAST] Understanding Ransomware
The swift rise of ransomware has led many companies to evaluate the risk it presents to their business. In this episode, host Kyle Flaherty explores some of the more common concerns around this attack vector and discusses with Tod Beardsley, Rapid7 security research manager, and returning guest Wade Woolwine.

[VIDEO] Whiteboard Wednesday: Server Ransomware
Watch this week’s Whiteboard Wednesday to learn more about how attackers are using open MongoDB, CouchDB, and Elasticsearch servers, and then check out Bob’s blog post for more on “The Ransomware Chronicles: A DevOps Survival Guide.

[ON-DEMAND WEBCAST] Ransomware: Don't Believe the Hype of Vendors
In this webcast, learn about snake oil sales techniques around ransomware, the best ways to protect your organization from this threat, disaster recovery processes to have in place, and more.

[BLOG] Ransomware FAQ: Avoiding the latest trend in malware

[BLOG] Prepare Yourself for Ransomware – No More Snake Oil, Please

[BLOG] I have ransomware and I didn’t back up! What do I do now??

Find vulnerabilities with InsightVM

Try InsightVM

Try InsightVM

No credit card required. All fields are mandatory.

    Sorry your request cannot be completed at this time. Please reach out to sales at +1-866-7RAPID7 or at
    Switch to Virtual Appliance Download