Petya Ransomware Caught By SparkCognition’s DeepArmor


By Marla Rosner and Mark Montgomery

The dangerous new ransomware outbreak

Not even two months after the outbreak of the devastating WannaCry malware, a new cyber attack has begun spreading throughout Europe and the US. This attack, which is a new strain of a ransomware known as Petya or Petrwrap, has hit thousands of computers so far in more than a dozen countries. It was first reported in the Ukraine, where it has already crippled vast portions of the country’s infrastructure, including government, banks, utilities, transportation, and even the radiation monitoring system at Chernobyl.

On the same day that this attack hit, however, SparkCognition’s DeepArmor® caught the malware without ever having trained on it.

How Petya infiltrated systems across Europe

The Petya ransomware initially appears on computers masquerading as a standard CHKDSK process.

Once the program is run, however, it instead encrypts the computer’s hard drive, demanding a ransom of $300 in Bitcoin to decrypt files. Furthermore, Petya is making use of the exact same EternalBlue exploit that WannaCry used in May. This indicates that despite the disastrous effects of WannaCry, many individuals and organizations have still not patched their systems against this vulnerability. This, however, is one of the strengths of an AI approach to cybersecurity: a cognitive security solution such as DeepArmor can adapt to this sort of continual evolution of malware with its own self-learning capabilities.


Unfortunately, where the WannaCry virus included several key errors, including a “kill switch” that security researchers were able to use to shut down the virus and keep it from spreading, Petya does not seem to have any weaknesses. At the present, there is no known way to stop its spread.

A cognitive approach to endpoint security

All of this being the case, how did DeepArmor succeed at catching Petya where so many have failed?

DeepArmor Enterprise for Windows includes both process execution control and real-time file monitoring, which was able to prevent Petya from infecting a user’s system. DeepArmor uses the power of machine learning and artificial intelligence to identify zero-day and polymorphic threats like Petya.


Coming soon

The most recent version of Petya comes packaged as a malicious Dynamic Link Library (DLL), which is loaded into memory through the EternalBlue SMB exploit. The newest feature to DeepArmor adds malicious DLLs to our arsenal, allowing it to catch this new variant with a confidence of over 93%, despite never having seen it before.

Lessons learned

This is far from the first such success DeepArmor has had. Previously, it was able to catch not only WannaCry, but also Adylkuzz, Double Agent, and Popcorn Time.

There are at least two clear lessons to be taken from this news: 1) the onslaught of new and progressively more vicious malware is not halting any time soon; and 2) artificial intelligence solutions are the most capable tools to protect against future cyber threats.

Real-world validation

Finally, we wanted to give a shout out to our partner Markus Speckmeier at MSITC, who put together a great video on DeepArmor detecting and blocking Petya. Marcus and his team are always on top of the latest threats, so please check out his video and blog if you get chance.

Latest blogs

SparkCognition is committed to compliance with applicable privacy laws, including GDPR, and we provide related assurances in our contractual commitments. Click here to review our Cookie & Privacy Policy.