Only a month after WannaCry, a new malware attack is spreading like wildfire across Europe, India, Russia and is definitely heading towards America.
A variant of the Petya/Petrwrap malware virus has already affected companies in Spain, France and the UK. Symantec has confirmed the ransomware is using EternalBlue, the same exploit as last month’s WannaCry attack. The exploit was leaked by the hacking group Shadow Brokers and is thought to have been developed by the US National Security Agency.
Ukraine has been decimated by the attack, with the government, banks, state power plants and Kiev’s airport and metro system particularly badly affected. Users on Twitter are reporting that the country has ground to a halt, with photos of supermarket tills, cash machines and traffic lights at a standstill.
Other companies in Europe are beginning to report Petya attacks. UK marketing giant WPP tweeted that they have been hit by a “suspected cyberattack”. French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft have also been disrupted. The world’s largest container shipping firm AP Moller-Maersk has also tweeted that “IT systems are down across multiple business units due to an attack”.
Once infected by the virus, a computer shows a black screen with the following red text, “If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service.”
This screenshot of the Petya ransomware message was posted by Ukraine's Channel 24
Petya’s actual Bitcoin ransom is equivalent to $300 – exactly the same as WannaCry. So far (as of 7pm on Tuesday 27th June) the amount paid in ransom is almost $6,000 and is steadily increasing. However, there are Twitter users suggesting that even if the ransom is paid, there is no hope of any files actually being decrypted, as the email client Posteo has killed the account used for ransom payments.
Wired magazine has reported that this new malware seems more sophisticated than the WannaCry exploit. Petya doesn’t seem to have any embedded “kill switch” function – meaning there's no way to stop it yet.
We’ve been unable to obtain a copy of the malware and analyse it, but it looks very similar to Wannacry in that it spreads over SMB and infects unpatched Windows systems. If you’ve applied patches due to last month’s Wannacry outbreak, then you shouldn’t experience any issues. However, there are still a significant number of unpatched Windows systems in general circulation. Not everyone heard about Wannacry and not everyone patched. Maybe they’ll learn this time.
It’s not limited to Eastern Europe; and will happily spread to any unpatched Windows machine. It might so happen that the UK is better at patching then the rest of the world and remain largely unaffected, but we’re not convinced.