Threat Management, Malware, Ransomware

Global Petya ransomware attack: Update 2


Petya ransomware continues to spread rapidly across the globe impacting multiple corporations and utilities and it has just been revealed that the attacker's email address needed to pay the ransom has been shut down eliminating that possibility for any victim.

The attack looks as if it may have started in Ukraine, where banks, energy companies, an airport and its metro network were affected, according to a Forbes report and additional sources. Outside the Ukraine, infections have also apparently hit Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft, the report continues.

"We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack," reads a notification on Maersk's home page. "We continue to assess the situation. The safety of our employees, our operations and customer's business is our top priority. We will update when we have more information."

According to Bloomberg Technology, WPP has told its staffers to turn off their computers as a preventative measure. SC Media's sister brand PR Week has additional details on WPP.

The Chernobyl nuclear power plant in the Ukraine was also hit, according to the Mirror. The plant was destroyed in a meltdown in 1986, but is still being decommissioned.

The German email provider Posteo reported it has shut down the email address that the Petya attackers set up to receive ransom payments. 

"This email address [[email protected]] is displayed in Petya's ransom note as the only way to contact the Petya author. Victims have to pay the ransom and send an email with their Bitcoin wallet ID and infection key to the author," Bleeping Computer reported, which means there is no longer any method in place for those with locked files to have them decrypted.

Nick Bilogorskiy, Cyphort's senior director of threat operations, has issued an early breakdown of how the ransomware is operating and how it differs from WannaCry.

"This is what Petya is, an older ransomware family that has been given a new life by embedding a way to self-replicate over SMB using Eternal Blue exploit," he said, adding so far nine people have forked over the $300 ransom.

Here is what Cyphort has discovered:

There are a few differences from WannaCry, namely:

  • Petya initial distribution method is over email, in a malicious link sent from an unknown address.

  • Once executed, Petya does not try to encrypt individual files, but encrypts the master file table.

  • It has a fake Microsoft digital signature appended, copied from Sysinternals.

  • It looks like this new variant can also spread laterally using WMI.

  • Some payloads include a variant of Loki Bot in addition to the ransomware which is a banking Trojan that extracts usernames and passwords from compromised computers.

The following information comes courtesy of the UK SC Media staff.

Reports from a number of security companies  allege that the ransomware is locking up systems globally, including pieces of critical infrastructure and government bodies in Ukraine. The Kiev Metro system, “several chains” of Ukrainian petrol stations and the country's deputy prime minister all appear to have been hit. Kiev's Boryspil airline says that could cause flights to be delayed, the BBC reports

Other companies include Russian oil company Rosneft and shipping operator Maersk, which confirmed on Twitter that its IT systems were down across “multiple sites” thanks to a cyber-attack. Cyber-security firm, Recorded Future claims that it is now starting to see US victims too.  The world's largest advertising firm, WPP, has also confirmed it has fallen victim to the attack and employees have been instructed to unplug their computers. Business Insider has reported that news of the attack has even harmed the company's share price.

David Montenegro, an IT researcher also known as @cyberinsane posted a picture of a locked computer on Twitter.

Here we go again!!! | Ransomware Attack .. ??

— David Montenegro (@CryptoInsane) June 27, 2017

A spokesperson for the National Cyber Security Centre issued a statement saying, simply, “We are aware of a global ransomware incident and are monitoring the situation closely.”

NHS Digital said on Twitter than “There are no known significant cyber security threats affecting health.” Last month the global WannaCry campaign took out 48 NHS trusts, leaving hospitals all over the UK paralyzed.

Much like WannaCry, GoldenEye appears to be quite cheap, charging a relatively meagre US$300 (£234) for decryption. The bitcoin wallet it is directing victims to has already received 13 transactions.

It is not yet known what the propagating component is, but it is suspected to be wormable. Javvad Malik, security advocate at AlienVault, told SC Media UK that it appears to be “spreading via EternalBlue, the NSA vulnerability that was leaked by Shadowbrokers and spreads via the SMB1 protocol." EternalBlue was the same exploit that allowed WannaCry to spread to hundreds of thousands of endpoints in over 150 countries in a matter of hours.

Though a fix for the vulnerability has been released several times, it appears that many have not yet applied it, as evidenced by WannaCry recurrences in Honda factories last week. .

F-Secure's CRO, Mikko Hypponen has taken to twitter to admonish those who have not yet patched and left themselves open to this kind of attack.

New Petya uses the NSA Eternalblue exploit. So Wannacry was not enough of a wake-up call. You would think everybody would be patched by now.

— Mikko Hypponen (@mikko) June 27, 2017

The GoldenEye variant of Petya emerged in December last year, after a period of dormancy. Its first recorded attacks were aimed at German-speakers with phishing emails loaded with malicious microsoft Office documents.

GoldenEye has two level of encryption. One encrypts files that are actually on the computer and the other goes after NTFS, which prevents the victim's computer from retrieving stored information. After the targeted machine has been encrypted, GoldenEye reboots it so it cannot be used until the ransom is paid. This particular variant apparently earned US$1 billion (£783 million) in 2016.

Please check back with SC Media as we continue to follow this story.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.