The Petya ransomware. Courtesy of Wired.co.uk
(Follow this page as we will keep it updated as we know more)
Just one month after the WannaCry attack in May, the world is now experiencing another worldwide ransomware attack. The WannaCry attack spread quickly across the world as hackers infected hundreds of thousands of computers and demanded a ransom from those infected. This new ransomware attack is expected to have similar, or even greater, damage.
What is Petya ransomware?
Upon infection of the Petya ransomware, the computer that is being used shuts off and restarts. Instead of directing your computer to Windows, as it normally would, it instead directs your computer to a custom screen (see picture above) that demands the user pay a $300 ransom in order to access Windows again. At this point users must decide whether or not to pay the $300 ransom via bitcoin, or lose access to their precious files on their computer. Unlike previous attacks such as WannaCry, this ransomware appears to be infecting the MFT (Master File Table) meaning the Windows Operating System will not be able to locate files and also looks like it's infecting the Master Boot Record, causing issues with the computer booting up properly until the ransom is paid.
Are you safe from the attack?
Pine Cove Consulting’s Chief Information Officer, Dan Russell, warns that the new attack is a threat to all individuals and businesses. “Regarding the latest Ransomware attack, it started over in Europe, but there have already been cases reported here in the U.S. At the end of the day, everyone has a computer with an IP address, meaning everyone is a target, “said Russell.
The New York Times has reported that there have been confirmed attacks from the Petya ransomware here in the U.S.
However, users that are equipped with Sophos Next-Generation endpoint protection from Sophos have not experienced anything other than a popup at the bottom of the screen saying that an exploit was prevented.
How are they accessing my computer?
The ransomware appears to be a form of Petya family which was a prevalent strain of ransomware months back. It appears to be using the Eternal Blue vulnerability (And a few other techniques) which we saw a month or so ago with WannaCry.
Various media reports suggest the attacker took inspiration from last month’s WannaCry outbreak, which infected hundreds of thousands of computers across the globe by exploiting NSA code leaked by Shadow Brokers. Specifically, it used a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353), which targeted a flaw in the Windows Server Message Block (SMB) service. View Sophos' Naked Security for more information.
What can I do to prevent myself from infection?
“Ransomware and exploits are nothing new, they have been around for many years. However, as cyber-crime has become more and more monetized, we are starting to see an uptick in cases around the globe and will continue to see these attacks become more prevalent. Some things you can do to stay protected are, patch your systems as often as possible, backup your files regularly and keep a copy offsite, avoid opening attachments in emails from recipients you don’t know, invest in a Next-Generation endpoint protection, “said Russell.
Follow Pine Cove Consulting on Twitter for more updates:@PINECC
To view Pine Cove Consulting's press release regarding Petya Ransomware click here: Pine Cove Consulting's Press Release
Update (6/27/2017 3:18pm)
Update (6/27/2017 3:32pm)
Sophos is aware of the Petya ransomware (also known as Petrwrap/Petyawrap) attacks today. "Sophos Intercept X users were proactively protected with no data encrypted, from the moment this new ransomware variant appeared. Petya ransomware (also known as Petrwrap/Petyawrap)
Update (6/28/2017 8:15am)
Here is a current list of confirmed industries and specific businesses affected by the Petya attack:
- Cadbury Chocolate in Australia
- Chernobyl radiation detection system
- Kiev metro
- Ukraine nationwide power company
- DLA Piper major legal firm
- Maersk – Danish shipping company, has caused shipping ports worldwide to shut down
- Russian oil giant Rosneft
- Most every state agency in Ukraine (government departments, the central bank, a state-run aircraft manufacturer, the airport in Kiev and the metro network have all been paralyzed by the hack)
- Banks – International and regional
- One U.S. hospital, thus far
- Pharmaceutical companies
- Reports world-wide (Ukraine, France, Spain, Australia, and U.S. to name a few, and list is growing)
Update (6/28/2017 8:30am)
• May have started via corrupted updates on a piece of accountancy software in Ukraine
• Mainly affected unpatched Windows 7 machines, but once in your network, can attack all computers of all Operating Systems, patched or not
• Ukraine hardest hit will 80% of all attacks and Italy second with 10% is possible good news for the U.S. However, the U.S. had several attacks and this is still spreading
See BBC for more information on this update: http://www.bbc.com/news/technology-40428967
• Wanna Cry had a kill switch that was discovered and helped stop the attack pretty quickly. Petya has no such kill switch, thus the length of this attack has no finite cap at this time.
• Petya inflicts more damage on machines than WannaCry as it targets the hard drive rather than individual files. "This attack doesn't just encrypt data for a ransom - but instead hijacks computers and prevents them from working altogether," said Ken Spinner, vice president of Varonis. "The implications of this type of cyberattack spread far and wide: and can affect everything from government to banks to transportation."