UPDATED 14:27 EDT / JUNE 27 2017

INFRA

New ransomware attack quickly spreads to 65 countries

Updated Wednesday

Numerous businesses and government organizations across Europe and elsewhere have been hit by another major ransomware attack, which locks down vital files unless the victim pays the attackers money to release them.

Reports put the number of countries to which the malware had spread to 65 countries, according to an assessment by Microsoft Corp. There was also little sign that the damage is slowing down, since unlike with the WannaCry ransomware that swept across the globe just weeks ago, there’s no “kill switch” that can stop it in one fell swoop, according to British security researcher MalwareTech.

Early reports said the ransomware relied on the same exploit as the infamous WannaCry ransomware that swept across the globe just weeks ago, though as the day wore on, speculation widened on the precise nature of the ransomware.

“If you see this text, then your files are no longer accessible, because they have been encrypted,” the ransomware message (below) says on infected computers, according to screenshots shared by some of the affected companies. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

The ransomware tells victims that they must pay the equivalent of $300 in Bitcoin in order to receive the decryption key to unlock their files. Several companies have already opted to pay for the decryption key to unlock their files, and more are sure to follow. However, a report in Motherboard said that may be difficult now. Posteo, the email provider used by the hacker, said it has decided to block the attacker’s account, which leaves victims with no apparent way to unlock their files.

The new ransomware attack seemingly began in Eastern Europe, with Ukraine being hit particularly hard. Several major Ukrainian organizations, including banks, government ministries and utilities, have been affected by the attack, and the malware even temporarily took down radiation monitoring software at Chernobyl.

An infected computer (Image: Palo Alto Networks)

An infected computer (Image: Palo Alto Networks)

Other businesses affected by the attack include Danish conglomerate A.P. Moller–Maersk Group, Russian oil company Rosneft, Dutch shipping company APM Terminals, British advertising agency WPP plc and others. There are also reports that some businesses in the U.S. have also been hit by the attack, such as the American offices of law firm DLA Piper.

“This outbreak does not appear to be as great as WannaCry, but the number of impacted organizations is significant,” Raj Samani, Intel Corp.’s security firm McAfee Inc.’s head of strategic intelligence, said in an email.

Several security experts have speculated that the ransomware could be a variation of a malware called Petya, but cybersecurity firm Kaspersky Lab said that the attack could also be an entirely new program based on Petya or something similar. Kaspersky said that the new ransomware spreads by taking advantage of the same EternalBlue exploit that had been used by WannaCry in May.

By mid-afternoon PDT, Cisco Systems Inc.’s Talos threat intelligence organization had singled out what it said was a “new malware variant has surfaced that is distinct enough from Petya that people have referred to it by various names such as Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya.”

Talos said its research indicated the exploit used EternalBlue and Windows Management Instrumentation to spread in infected networks, but added, “This behavior is unlike WannaCry, as there does not appear to be an external scanning component.”

As for how many users were affected, Kaspersky earlier Tuesday said its threat tracking tools have already detected more than 2,000 users that have been affected by the ransomware. Meanwhile, antivirus provider Avast said that it has detected more than 12,000 instances of the ransomware around the world.

Security platform company Palo Alto Networks Inc. said that although such ransomware attacks are quite common, it’s rare for them to be coupled with an exploit that allows the malware to spread as a network worm. “The WannaCry attacks in May, 2017 demonstrated that many Windows systems had not been patched for this vulnerability,” Rick Howard, the company’s chief security officer, said in threat brief today. “The spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.”

Photo: Visual Content Data Security via photopin (license)

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.