UPDATE: This article was published in the first moments of the Petya/NotPetya ransomware outbreak. The article has been heavily redacted to correct initial data. Furthermore, Bleeping Computer has published separate articles regarding Petya/NotPetya's origin, the discovery of a vaccine that prevents the ransomware from taking root, and an email provider's decision to block the email address used by the crooks, and indirectly preventing victims from ever recovering their files. Updated article below.
There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of firstname.lastname@example.org and asks for a payment of $300 in Bitcoin.
At the time of writing, the ransomware outbreak is smaller than WannaCry, but the volume is "considerable," according to Costin Raiu, Kaspersky Labs researcher, and MalwareHunter, an independent security researcher.
The main culprit behind this attack is a new ransomware that researchers intially called Petya, because it resembled an oldr ransomware strain that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Later, it was discovered this is a new strain altogether, which researchers have started referring to as NotPetya or Petna. Because our initial article's title, we'll be using the name Petya through this article, but be aware this is a new ransomware strain that has some similarities with the original Petya, but is new in its own right.
According to several sources, the author of the new ransomware stain appears to have been inspired by last month's WannaCry outbreak, and added a similar SMB work based on the NSA's ETERNALBLUE exploit. This has been confirmed by Payload Security, Avira, Emsisoft, Bitdefender, Symantec, and other security researchers. Later during the day, it was also discovered that Petya also used another NSA exploit called ETERNALROMANCE. More on this infection routine in a Kaspersky article here.
Petya's initial distribution vector was a tainted update for an accounting software package popular in the Ukraine. Bleeping Computer has published more info on the events that sparked the Petya outbreak in a separate article here.
Currently, there are multiple reports from several countries about the ransomware's impact. The most affected country seems to be the Ukraine, where government agencies have reported "cyber-attacks" caused by a mysterious virus that affected the country's largest banks, airports, and utility providers. Rozenko Pavlo, one of Ukraine's deputy prime ministers posted a photo on Twitter of a government PC locked by this ransomware strain.
Ransomware incidents have also been reported in other countries, such as the Netherlands, where Danish-based container transportation giant Maersk was forced to shut down some operations in Rotterdam. Maersk later confirmed the attacks on its website.
Similarly, in Spain, local media is reporting ransomware attacks at a large number of companies that include food conglomerate Mondelez and law firm giant DLA Piper.
In the UK, marketing firm WPP was affected, along with many others. The US didn't escape the Petya outbreak, and the first major victim to surface was pharma giant Merck, while in France, Saint-Gobain a manufacturer of construction materials was forced to shut down operations.
Reports are coming fast and furious from multiple sources now, all reporting Petya's virulent nature, with some people reporting that the ransomware has locked down hundreds of computers on the same network in a matter of minutes.
So far,the Petya authors have already pocketed seven ransom payments of 0.87 Bitcoin, worth nearly $2,000. This is quite a considerable sum, knowing that WannaCry took almost a full day to earn that much.
A past version of the Petya ransomware was decryptable, but we cannot confirm or deny at this stage that this version is also crackable. In the past, the author of the Petya ransomware, a crook named Janus Secretary, has offered a combo of the Petya and Mischa ransomware variants via a Ransomware-as-a-Service (RaaS) portal.
While WannaCry was stopped by a "killswitch" mechanism, this Petya version doesn't seem to be affected by such a weakness.
BTW, we can't stop this, there is no kill switch. :(— 2sec4u NOT CISSP (@2sec4u) June 27, 2017
Below is a collection of tweets showing Petya's ever-expanding damage:
Супермаркет в Харькове pic.twitter.com/H80FFbzSOj— Mikhail Golub (@golub) June 27, 2017
Друзі! Оплата банківськими картками наразі неможлива.— Kyiv Metro Alerts (@kyivmetroalerts) June 27, 2017
Хакерська атака. https://t.co/P6WoWORHlA
Merck Pharma under global cyberattack - demanding bitcoin payments pic.twitter.com/GAjYkFXH80— Jack Posobiec (@JackPosobiec) June 27, 2017
Saint-gobain uk pic.twitter.com/PtHD031ccY— The Animal (@AnimalDubz) June 27, 2017
Email address associated with infections:
Targeted file extensions:
Ransom note name:
Ransom note text:
Send your Bitcoin wallet ID and personal installation key to e-mail 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX Ooops, your important files are encrypted. If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don\'t waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: Send $300 worth of Bitcoin to following address:
Does not encrypt files in this folder:
Image credits: David Montenegro