Today, there are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of wowsmith123456@posteo.net and asks for a payment of $300 in Bitcoin.
At the time of writing, the ransomware outbreak is smaller than WannaCry, but the volume is “considerable,” according to Costin Raiu, Kaspersky Labs researcher, and MalwareHunter, an independent security researcher.
The main culprit behind this attack is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
Because of this, Petya is more dangerous and intrusive compared to other strains because it reboots systems and prevents them from working altogether.
Multiple incidents reported from across the globe:
Currently, there are multiple reports from several countries about the ransomware’s impact. The most affected country seems to be the Ukraine, where government agencies have reported “cyber-attacks” caused by a mysterious virus that affected the country’s largest banks, airports, and utility providers. Rozenko Pavlo, one of Ukraine’s deputy prime ministers posted a photo on Twitter of a government PC locked by this new Petya variant.
Ransomware incidents have also been reported in other countries, such as the Netherlands, where Danish-based container transportation giant Maersk was forced to shut down some operations in Rotterdam. Maersk later confirmed the attacks on its website.
Similarly, in Spain, local media is reporting ransomware attacks at a large number of companies that include food conglomerate Mondelez and law firm giant DLA Piper.
In the UK, marketing firm WPP was affected, along with many others. The US didn’t escape the Petya outbreak, and the first major victim to surface was pharma giant Merck, while in France, Saint-Gobain a manufacturer of construction materials was forced to shut down operations.
Russian oil giant Rosneft also admitted to cyber-incidents on Twitter but didn’t clarify further. Overall, according to Kaspersky, Ukraine and Russia seem to be the most affected.
Petya doesn’t have a killswitch
Reports are coming fast and furious from multiple sources now, all reporting Petya’s virulent nature, with some people reporting that the ransomware has locked down hundreds of computers on the same network in a matter of minutes.
So far,the Petya authors have already pocketed seven ransom payments of 0.87 Bitcoin, worth nearly $2,000. This is quite a considerable sum, knowing that WannaCry took almost a full day to earn that much.
A past version of the Petya ransomware was decryptable, but we cannot confirm or deny at this stage that this version is also crackable. In the past, the author of the Petya ransomware, a crook named Janus Secretary, has offered a combo of the Petya and Mischa ransomware variants via a Ransomware-as-a-Service (RaaS) portal.
While WannaCry was stopped by a “killswitch” mechanism, this Petya version doesn’t seem to be affected by such a weakness.
As an organization I think it’s utmost important that current security policies got reviewed and checked against latest worldwide development of security threats. Because, “no continuity in the field of ICT means, no continuity in your business”.
More info: management@jato.be
