My team has seen no evidence that Petya/NotPetya/Nyetya has an email vector. Everything we've found on this front has been a different attack. The true source of this attack is currently believed to be from fraudulent and unsigned tax software updates:
From http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html > The identification of the initial vector has proven more challenging. > Early reports of an email vector can not be confirmed. Based on > observed in-the-wild behaviors, the lack of a known, viable external > spreading mechanism and other research we believe it is possible that > some infections may be associated with software update systems for a > Ukrainian tax accounting package called MeDoc. Talos continues to > research the initial vector of this malware. This happened with WannaCry too. The emails we saw reported as WannaCry ended up being Jaff <http://blog.talosintelligence.com/2017/05/wannacry.html?showComment=1494683710652#c7954588230675341778>. If you have email samples suggesting otherwise, I'd very much like to see them. Adam Katz @adamhotep <https://twitter.com/adamhotep> On 06/27/2017 11:09 AM, Alex wrote: > Hi, > On Tue, Jun 27, 2017 at 1:51 PM, Pedro David Marco > <[email protected]> wrote: >> Hi everybody... >> just bothering you to share this: >> We are detecting Petya2 inside attached PDFs... (not detected by many AV) >> has anyone seen it into any MS OFFICE attachment? or maybe any .js dropper? > How are you detecting them? Tips for blocking, if the AVs aren't > catching them yet? Have you submitted to sanesecurity?
signature.asc
Description: OpenPGP digital signature
