Last update: 6/28/2017 at 11:49am — This is a developing story and we will update it as we learn of new details.
Another Global Ransomware Outbreak Is Occurring Right Now. Here’s What We Know So Far.
According to Motherboard and various international publications, another wave of ransomware is reportedly infecting computers in Spain, France, Ukraine, Russia, Britain, Denmark and several other countries. It is currently unknown who the attackers are and if the attack is related to the recent WannaCry outbreak
Russia, Ukraine, Spain, France – confirmed reports about #Petya ransomware outbreak. Good morning, America.
— codelancer (@codelancer) June 27, 2017
What is Petya/NotPetya/SortaPetya ransomware?
According to a report from Symantec, Petya is ransomware strain that was discovered last year. A new strain of Petya, called Petrwrap, was initially believed to be the strain of ransomware that began propagating on Tuesday, according to Symantec.
According to Costin Raiu of Kaspersky Lab and anti-virus company Avira, this variation of the Petya ransomware is using the EternalBlue exploit, which was created by and stolen from the US National Security Agency (NSA) and leaked by the group called The Shadow Brokers in April. This exploit–which was also used by WannaCry–takes advantage oof the “MS17-010” vulnerability mainly found in unpatched Windows 7, Windows Server 2008, or earlier versions of the Windows operating system.
The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp. pic.twitter.com/CHUYvsiQ08
— Costin Raiu (@craiu) June 27, 2017
Is this the same as the WannaCry ransomware attack?
Andrew Avanessian, vice president of the security firm Avecto, tells Spiceworks in an interview that “WannaCry was a quite sloppy attack in many respects. It had a kill switch built in that talked to a command center — we think it was detecting whether WannaCry was working on a virtual machine or not.”
“Petrwrap is more sophisticated: Once it’s on a PC, it overrides the master boot record on the hard disk thereby corrupting the operating system. When you reboot that machine, it boots up into a mini-version of an operating system installed by Petrwrap. That operating system takes hold of the PC and puts it in the firm control of the cybercriminals,” Avanessian says.
[UPDATE] We should also note, as Serper discovered, the Petya/NotPetya ransomware strain does not have a kill switch domain that would prevent the attack from spreading, like WannaCry. Moreover, ZDNet notes that this new Petya/NotPetya strain has more functionality, “including the encryption of full hard drives and the ability to use PSExec on a system it has administrative credentials on, allowing it to duplicate the ransomware on any system on a network.”
Moreover, initial photos of an infected computer screen posted on Twitter seem to differ from the WannaCry ransomware display. The photo shows red text which claims, “If you see this text, then your files are no longer accessible because they are encrypted,” followed by instructions to send $300 worth of bitcoins.
Who has been affected?
There have been reports on Twitter of several hospitals, airlines, utility services, and private companies, including WPP, Rosneft, DLA Piper, Mondelez, and Maersk are being hit by the attack. The Verge is also reporting that Ukrainian businesses are the hardest hit, “with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport.”
In addition, security researchers and firms also confirmed the attack to Motherboard, including Raiu who noticed “thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours.”
Is there a way to stop Petya/NonPetya from spreading?
Ransom ware attack reportedly used against TRK Luks (majority held by Lviv mayor Sadoviy), includes 24 Kanal too. https://t.co/K8ESouloCK pic.twitter.com/SK7Y62yBsz
— Devin Ackles (@DevinAckles) June 27, 2017
[UPDATE] To date, the unknown attackers have managed to rack up 3.99 bitcoin, or $10,038.80, according to Motherboard.
[UPDATE] Cybereason security researchers Amit Serper says he found a vaccine (not a cure) for the Petya/NonPetya ransomware worm.
I found a way to stop the malware, All we need to know is the original name of the file – Come on people! https://t.co/4e17ST5xHL
— Amit Serper (@0xAmit) June 27, 2017
#Petya #Ransomware KILLSWITCH:Malware checks for the name of the dll inside c:\windows-If exists it won’t run. Whats the original dll name? pic.twitter.com/WUXC3Itdyi
— Amit Serper (@0xAmit) June 27, 2017
98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension and #petya #Nopetya won’t run! SHARE!! https://t.co/0l14uwb0p9
— Amit Serper (@0xAmit) June 27, 2017
Let’s not be aggressive. This is not a generic Killswitch like @MalwareTechBlog found, it’s a temporary workaround
— Amit Serper (@0xAmit) June 27, 2017
Do we know who is behind the attack?
We currently do not know who is behind the attack, but Infosecurity Magazine is citing an analysis by CyberArk Labs, which notes the Petya/NonPetya variants “appear not to affect Windows endpoints that are configured to use a US English-only keyboard,” which leads researchers to believe this could be a state-sponsored attack.
How can I protect myself from ransomware?
For individual consumers, here’s how to protect yourself:
- Update your software immediately – Microsoft released a software update to patch this vulnerability in March, so make sure you install the latest software update as soon as possible. Also, always keep your device up-to-date by enabling automatic updates or creating a reminder to check for updates at least once a month.
- Backup your devices – Backup your files and data in a portable hard drive or to the cloud.
- Install a robust antivirus and anti-malware program and make sure to use firewalls. If you have the resources, consider installing an anti-spam and anti-phishing software as well.
- Learn how to identify malicious emails – If you receive an email from a person or company you don’t know, avoid clicking any links or opening any attachments.
- Enable a pop-up blocker – To avoid drive-by downloads, add and enable a pop-up blocker on your web browsers.
In addition to the tips above, KnowBe4 offers tips on how business owners and other organizations can take extra precautions to protect their company’s data from ransomware:
- Consider endpoint protection products, like real-time executable blocking or whitelisting.
- Invest in cybersecurity awareness training – Attackers rely heavily on employees falling for phishing and social engineering scams via email. Teach your staff members how to identify potentially malicious emails, websites, ads, and file extensions.
- Implement software restriction policies to areas of your network.
Sign up to receive news and updates about Dashlane