A global ransomware outbreak known as Petya has government agencies and private businesses around the globe scrambling to get their systems back online and recover their data.
The ransomware spread like wildfire on Tuesday, hitting organizations across Europe and the US. According to Microsoft, Petya has affected more than 12,500 machines in just the Ukraine, where the first infections were identified. Since then, it has spread to another 64 countries, including Belgium, Brazil, Germany, Russia, and the US.
The Petya outbreak comes after hundreds of thousands of PCs were attacked last month by ransomware known as WannaCry, which threw government agencies and private businesses around the globe into disarray. WannaCry resurfaced just last week, infecting the network at a Honda factory in Japan and traffic cameras in Australia.
Who Has Been Affected?
The Petya ransomware has already taken offline several critical infrastructure institutions in Ukraine, according to Bogdan Botezatu, senior e-threat analyst at cybersecurity firm Bitdefender. Ukraine's state power distributor Ukrenergo was hit, along with several of the country's banks, and the Kiev Metro.
Beyond Ukraine, Petya has claimed a number of other high-profile victims, including: Chernobyl's radiation-monitoring system, law firm DLA Piper, pharmaceutical company Merck, Danish shipping and energy company Maersk, UK-based advertising and public relations firm WPP, and Russian oil industry company Rosnoft.
McAfee released a map (which you can see above) showing the distribution of its clients that have detected the current known samples of Petya, with darker colors representing a greater number of infections. The map appears to suggest that the US has been harder hit than Ukraine, though Chief Research Officer at security firm F-Secure Mikko Hypponen said that might not technically be the case, since McAfee has "much better visibility" in the US than Ukraine.
What Does it Do?
Ransom ware attack reportedly used against TRK Luks (majority held by Lviv mayor Sadoviy), includes 24 Kanal too. https://t.co/K8ESouloCK pic.twitter.com/SK7Y62yBsz
— Devin Ackles (@DevinAckles) June 27, 2017
The malware, which has similarities to WannaCry, encrypts the files on a user's system, then demands victims pay $300 worth of bitcoin to recover access to their files.
"If you see this text, then your files are no longer accessible, because they have been encrypted," the message reads. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption device."
The message goes on to "guarantee" victims will "safely and easily" recover all their files by submitting the payment. Petya operators have already received around 40 payments totaling $9,000, according to Bitdefender's Botezatu.
"If you're planning to pay the ransom, stop now," he warned. "You'll lose your data anyway, but you'll contribute in funding the development of new malware."
Plus, according to F-Secure's Hypponen, the email address used by the attackers has been deactivated.
Victims keep sending money to Petya, but will not get their files back: No way to contact the attackers, as their email address was killed. pic.twitter.com/68vxThNIPM
— Mikko Hypponen (@mikko) June 28, 2017
Matt Suiche, founder of Comae Technologies, also suggested in a Medium post that Petya is wiper malware disguised ransomware. "The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money," he writes. Ransomware has the capability of restoring locked PCs; wipers just destroy everything, meaning even if you pay, you're out of luck.
How it Spreads
According to Microsoft, Petya "has worm capabilities, which allows it to move laterally across infected networks." This means its takes just one infected machine to affect an entire network, the company said.
This feature makes Petya more nefarious than other ransomware attacks, according to Rick Howard, Chief Security Officer at Palo Alto Networks.
"Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm," he wrote in a blog post.
This version of Petya spreads via Windows Server Message Block (SMB) using a tool known as EternalBlue, which exploits the vulnerability CVE-2017-0144 that was patched in security update MS17-010. WannaCry also exploited this vulnerability to spread to out-of-date machines. Petya also uses a second exploit for the vulnerability CVE-2017-0145 (also known as EternalRomance), which was also fixed by the aforementioned security update, Microsoft said.
How to Protect Yourself
Microsoft said those who have not yet installed security update MS17-010 (linked above) should do so as soon as possible.
"The WannaCry attacks in May 2017 demonstrated that many Windows systems had not been patched for this vulnerability," Palo Alto Networks's Howard wrote. "The spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received."
If you can't apply the patch right away, Microsoft recommends two workarounds to reduce your risk: disabling SMBv1 (instructions here) and consider adding a rule on your router or firewall to block incoming SMB traffic on port 445.
Organizations should also be sure to "create and maintain good back-ups so that if an infection occurs, you can restore your data," Howard wrote.
Industry Insight: How Will Cloud Security Evolve in 2017?
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
