Share this article on:
A major global cyberattack involving Petya ransomware is currently underway, with firms across Russia, Ukraine and Europe affected. The attack is understood to involve a variant of Petya ransomware which has spread using similar methods to those used in the WannaCry ransomware attacks last month.
Companies confirmed as being infected with the ransomware include the Russian oil firm Rosneft, the Russian metal maker Evraz, French construction materials firm Saint Gobain, many Russian banks, the international Boryspil airport in Ukraine, the Ukraine government, two Ukrainian postal services, the Ukrainian aviation firm Antonov, shipping firm A.P. Moller-Maersk, legal firm DLA Piper, food manufacturer Mondelez, the advertising group WPP and pharmaceutical giant Merck. Many more companies are believed to have been attacked with the list of victims certain to grow. Attacks now occurring in the UK and India and may spread further afield. Ukraine’s Prime Minister Volodymyr Groysman has said the ransomware attack is unprecedented.
The attacks appear to have started Tuesday, with Russian cybersecurity firm Group-IB suggesting ransomware was installed using some of the NSA exploits published by Shadow Brokers – two of those exploits were also used to install WannaCry ransomware on organizations around the globe last month.
In contrast to WannaCry, Petya ransomware is not understood to have a kill switch. Recovery from the attack will only be possible if data backups exist and have not been encrypted in the attack or if the ransom is paid. The ransom demand is understood to be $300 per infected device.
While the attacks have been concentrated in Russia and Europe, it is probable that they will spread to the United States.
Petya ransomware is different to many other ransomware variants as it does not encrypt files. Instead, the ransomware attacks and replaces the Master File Table (MFT). The MFT is needed by computers to determine the location of files stored on the hard drive. Without access to the MFT, files cannot be located. Files are not encrypted, but since the files cannot be located the end result is the same. Files cannot be opened.
At this stage, the infection process is not fully understood, with some news outlets claiming the attacks are occurring via malicious email attachments, while others report they involve exploits for unaddressed vulnerabilities.
Security researchers have been working hard to try to identify the method used by the attackers to install the ransomware, with Kaspersky Lab suggesting multiple attack vectors are involved. The SMBv1 vulnerability that was exploited in the WannaCry ransomware attacks appears to have been used again, albeit with a modified EternalBlue exploit. Applying the MS17-010 patch will protect organizations from the EternalBlue exploit, although the latest ransomware attack is far more sophisticated than WannaCry. Attacks are possible even if the MS17-010 patch has been applied as long as there is at least one server or device on the network that has not had the patch installed.
Email attacks appear to have been used, with spreadsheets sent via spam email including an exploit of the CVE-2017-0199 vulnerability. Kaspersky Lab identified another attack vector – a Ukranian tax accounting package called MeDoc. The attackers appear to have compromised a software update and have used it to install the ransomware.
While it was initially thought the ransomware involved was Petya, it is now believed this is a Petya-like ransomware variant. It has attracted a number of different names already including NotPetya. The ransomware appears to be a clone of GoldenEye which is from the same family as Petya.
Kaspersky Lab reports that there have been at least 2,000 devices infected during this ransomware campaign with the attackers having pocketed at least $7,000 in ransom payments so far.