A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed.
A new strain of ransomware dubbed “Petya” is worming its way
around the world with alarming speed. The malware is spreading using a
vulnerability in Microsoft Windows that the software giant patched in March
2017 — the same bug that was exploited by the recent and prolific WannaCry
ransomware strain.
ISACA, a nonprofit that advocates for professionals
According to ISACA, a nonprofit that advocates for
professionals involved in information security, assurance, risk management and
governance, 62 percent of organizations surveyed recently reported experiencing
ransomware in 2016, but only 53 percent said they had a formal process in place
to address it.
A major ransomware attack has brought businesses to a close
throughout Europe, in an infection reminiscent of last month’s WannaCry attack.
The most severe damage is being reported by Ukrainian businesses, with systems
compromised at Ukraine’s central bank, state telecom, municipal metro, and
Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity
supplier, although a spokesperson said the power supply was unaffected by the
attack.
The attack has even affected operations at the Chernobyl
nuclear power plant, which has switched to manual radiation monitoring as a
result of the attack. Infections have also been reported in more isolated
devices like point-of-sale terminals and ATMs.
the virus has also spread internationally
The virus has also spread internationally. The Danish
shipping company Maersk has also reported systems down across multiple sites,
including the company’s Russian logistics arm Damco. The virus also reached
servers for the Russian oil company Rosneft, although it’s unclear how much
damage was incurred. There have also been several recorded cases in the United
States, including the pharmaceutical company Merck, a Pittsburgh-area hospital,
and the US offices of law firm DLA Piper.
Early reports from a Kaspersky researcher identified the
virus as a variant of the Petya ransomware, although the company later
clarified that the virus is an entirely new strain of ransomware, which it
dubbed “NotPetya.” Kaspersky telemetry indicated that at least 2,000 users had
been attacked by the virus as of this afternoon.
Two separate firms have reported the new ransomware employs
the same EternalBlue exploit used by WannaCry, allowing it to spread quickly
between infected systems. Published by the Shadow Brokers in April, EternalBlue
targets Windows’ SMB file-sharing system and is believed to have been developed
by the NSA. Microsoft has since patched the underlying vulnerability for all
versions of Windows, but many users remain vulnerable, and a string of malware
variants have employed the exploit to deliver ransomware or mine
cryptocurrency.
initial analysis found that the ransomware uses multiple techniques to spread, security update previously provided for all platforms from Windows XP to Windows 10
Microsoft said it was continuing to
investigate the attack. “Our initial analysis found that the ransomware uses
multiple techniques to spread, including one which was addressed by a security
update previously provided for all platforms from Windows XP to Windows 10
(MS17-010),” a spokesperson said in a statement. “As ransomware also typically
spreads via email, customers should exercise caution when opening unknown
files. We are continuing to investigate and will take appropriate action to
protect customers.”
Petrwrap itself appears to be a straightforward ransomware
program. Once infected, the virus encrypts each computer to a private key,
rendering it unusable until the system is decrypted. The program then instructs
the user to pay $300 to a static Bitcoin address, then email the bitcoin wallet
and installation key to a Posteo email address. As of press time, blockchain
records showed 20 transactions to the target wallet, totaling roughly $4,900.
It’s unclear whether any systems have been successfully decrypted after
payment.
origins of the attack still unclear
The origins of the attack are still unclear, but the
involvement of Ukraine’s electric utilities is likely to cast suspicion on
Russia. Ukraine’s power grid was hit by a persistent and sophisticated attack
in December 2015, which many attributed to Russia. The attack ultimately left
230,000 residents without power for as long as six hours.
Ukraine itself seems to be responding to the attack with
good humor. Shortly after news of the attack broke, the country’s official
Twitter account responded by urging citizens not to panic, while invoking a
popular comic meme.
Source: krebsonsecurity, helpnetsecurity, threatpost, theverge,
reuters
Comments
Post a Comment