There’s a New Massive Ransomware Attack Spreading

Image via Trendlabs

Image via Trendlabs

Ukraine’s government, National Bank and largest power companies have all been hit with a Ransomware attack. Airports and other transportation services also reported being hit, though it appears they are a part of another massive Ransomware outbreak that is spreading across the world fast.

Petya is to blame; a new Ransomware similar to WannaCry. "[We're seeing] several thousands of infection attempts at the moment, comparable in size to WannaCry's first hours," said Kaspersky Lab's Costin Raiu. "We are seeing infections from many different countries."

This morning Danish company Maersk reported a cyber attack, as well as Russian oil company Rosnoft. It is unclear what the attack exactly is, but it could be Petya.

The first known U.S. target is pharmaceutical company Merck. The problem has extended to global offices, including in Ireland. Merck Sharp & Dohme (MSD), the UK subsidiary of Merck, confirmed its network was compromised.

The impact initially seemed to only be affecting Ukraine. The organization managing the Chernobyl site said it had to switch radiation monitoring to manual until they confirmed that all their computers were safe. The main Chernobyl plant has also been closed.

Other victims included major energy companies such as the state-owned Ukrenergo and Kiev's main supplier Kyivenergo. Government officials have reportedly sent images of their infected computers, including this from deputy Prime Minister Pavlo Rozenko, who later said the whole government network was down:

From the looks of images being posted across social media, the ransomware note is in English and demanding $300 in Bitcoin, similar to the WannaCry ransom.

Global Impact

The National Bank blamed an "unknown virus" as the culprit, hitting several Ukrainian banks and some commercial enterprises. "As a result of cyber attacks, these banks have difficulties with customer service and banking operations," a statement on the organization's website read.

The deputy general director of Kiev's Borispol Airport, Eugene Dykhne, said in a Facebook post: "Our IT services are working together to resolve the situation. There may be delays in flights due to the situation... The official Site of the airport and the flight schedules are not working."

It’s currently unclear if the attack is just Ransomware or if it is something larger. Unfortunately, we may just have to wait and see.

Though ransomware is typically used by cybercriminals, with WannaCry it was alleged a nation state was likely responsible for spreading the malware: North Korea. Cyber intelligence companies and the NSA believe with medium confidence that the nation used leaked NSA cyber weapons to carry out the attacks that took out hospitals in the U.K and infected hundreds of thousands of others.

How the Ransomware Spreads

Security researchers fear the latest outbreak is using the same leaked NSA vulnerabilities as WannaCry. Petya samples confirmed the EternalBlue exploit was present, which targets a now-patched vulnerability in Microsoft Windows.

CERT.be, the federal cyber emergency team for Belgium, pointed to a different flaw in Windows. As noted by security firm FireEye in April, attacks exploiting the bug allow a hacker to run commands on a user's PC when they opened a malicious document. FireEye saw Office documents that contained the hack and downloaded popular malware types onto target computers.

 

Petya is spreading so quickly because of the EternalBlue exploit, but it seems like they may be more. While we don’t know everything yet, one thing is for sure. Stay safe and keep your computer secure.

(Story via Forbes)