New ransomware attack is going global
27 June 2017 | 0
There is a new ransomware attack sweeping across Europe that is threatening to go global.
Identified by Symantec as a variant of the Petya Ransomware family, it appears to use the EternalBlue exploit to spread, as did the recent WannaCry outbreak. This exploit targets a vulnerability in the Microsoft implementation of Server Message Block Version1 in networking.
— Security Response (@threatintel) June 27, 2017
Images have been appearing on social media sites, such as Twitter, showing supermarket tills and other screens with an encryption notification and ransom demand.
Thomas Fox-Brewster of Forbes has reported that pharmaceuticals giant Merck was experiencing problems, including at its Irish site.
Reports are that Ukraine, Russia, and Spain have been hit, with utilities, logistics and retail falling prey.
Ukraine has been particularly badly hit, with its Prime Minister Volodymyr Groysman describing the attack as “unprecedented”.
Kaspersky has reported that Ukraine, Russia and Poland have the highest reported incidents.
— Thomas Mutschler (@ThomasMutschler) June 27, 2017
The shipping company Maersk has issued a statement saying it has been hit across “multiple locations” and is assessing the situation.
UPDATE 15:00 CEST pic.twitter.com/L5pBYvNQd3
— Maersk (@Maersk) June 27, 2017
Experts are advising anyone still using the SMBv1 protocol to immediately move to later versions. A Microsoft bulletin here gives details.
“Today, early afternoon (CEST), ESET researchers have begun investigating another massive global ransomware epidemic following the WannaCry and XData/AES-NI outbreaks,” said ESET researcher Robert Lipovsky. “The ransomware appears to be a version of Petya. If it successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.
“For spreading, it appears to be using a combination of the SMB exploit (EternalBlue) used by WannaCry for getting inside the network and then spreading through PsExec for spreading within the network. This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched. It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”
“The outbreak appears to have started in Ukraine, where reports indicate that the financial sector, energy sector and numerous other industries have been hit. The scope of the damage caused to the energy sector is not yet confirmed, and there has been no reports of a power outage – as was the case previously with the infamous Industroyer malware,” said Lipovsky.