Last month, CCN reported that a global ransomware campaign hit over 100 countries and netted attackers a few thousand dollars after infecting well over 100,000 computers. The attack, according to reports, was possible thanks to NSA hacking tools leaked by hacking group The Shadow Brokers.
In the attack, a ransomware strain known as WannaCry was used to infect computers and demand a bitcoin ransom. The attack was then accidentally fixed by a security researcher who purchased a domain for $10.69, that turned out to be a kill switch.
Now, it appears a new global ransomware campaign is ongoing, as the list of affected countries already includes Ukraine, the U.K., India, Spain, Denmark, and the Netherlands. According to Bleeping Computer, the outbreak is currently smaller than WannaCry although it’s still a considerable attack.
The suspected culprit, at the time of press, is Petya ransomware, a strain that encrypts MFT (Master File Tree) tables and prevents victims from rebooting their computers, making it more dangerous and intrusive than other strains as it prevents them from working together and reboots their systems to do so. Petya has been seen in the past but reports suggest this is a new, updated version inspired by WannaCry.
According to Symantec researchers, this version of Petya now takes advantage of the NSA’s EternalBlue exploits, which have already been patched by Microsoft.
Petya, however, can spread via email through boobytrapped Office documents, unlike WannaCry. These documents are then downloaded so they can run the ransomware installer, which then executes a worm that spreads to new computers. According to Forbes, Hacker House CEO Matthew Hickey says this attack is being delivered via emails containing Excel files, he stated:
This time it'll breach people who weren't impacted by WannaCry because it'll get to the internal networks via email
So far, reports suggest the extortionists behind Petya have managed to pocket seven payments worth 0.87 bitcoin, about $2,000. It took them several hours to earn the amount, while WannaCry extortionists needed about a day. Petya demands $300 in bitcoin to give users a chance to decrypt their computers.
At press time, the attack has only been going on for a couple of hours, but has already caused significant damage. The most affected country seems to be Ukraine as the attack has nearly taken the country offline. Journalist Christian Borys stated on Twitter that banks, postal services, and airports, among others, were hit.
Even government computers have been compromised. One of the country’s deputy prime ministers, Rozenko Pavlo, shared a photo of one of these computers on Twitter:
The country’s central bank has already informed users that Ukrainian commercial banks have been hit by an “unknown virus” and, as such, they are having difficulties carrying out banking operations.
Ukrenergo, the country’s state power distributor, also says its IT system was hit, but told Reuters that no power supplies were affected. Kiev’s metro system, as well as the international Boryspil airport have already stopped accepting card payments because of the attack. State-run aircraft maker Antonov told Reuters it’s also been hit, although it didn’t clarify how bad the situation was.
In Ukraine’s neighboring country Russia, Rosneft, an oil company mainly owned by the Russian government, has also confirmed it’s been affected by the attack. Via Twitter, the company has informed users it “switched to a reserve control system”, presumably stopping its services from being affected. It also announced authorities have already been contacted.
In Denmark, shipping firm Maersk has also stated its systems have been taken down. The attack even forced the company to shut down some operations in Rotterdam. In Spain, local media reports the attack hit food conglomerate Mondelez and law firm DLA Piper.
In the U.K., British advertising agency WPP has had its systems disrupted, while French construction materials company St Gobain also reported being attacked. In the U.S., pharmaceutical Merck announced via Twitter its computer network was compromised.
Featured image from Shutterstock.