Update: This post was updated on June 28, 2017. A follow-up blog, “A ‘Wiper’ in Ransomware Clothing: Global Attacks Intended for Destruction Versus Financial Gain” was published June 29.



The malware, being referred to as a Petya variant, has impacted systems in 65 countries, one initial infection vector has been traced, by Microsoft, to the MEDoc updater process. And there are some reports that the creators of the malware meant to destroy data not just hold it ransom.

Today IBM X-Force analysts determined that the credentials used with PsExec and WMIC for lateral movement were obtained using Mimikatz. To help stop lateral movement a new recommendation has been added to the recommendations at the end of this post.