A new ransomware exploit dubbed “Petya” struck major companies and infrastructure sites this week, following last month’s WannaCry ransomware attack, which wreaked havoc on more than 300,000 computers across the globe. Petya is believed to be linked to the same set of hacking tools as WannaCry.
Petya already has taken thousands of computers hostage, impacting companies and installations ranging from Ukraine to the U.S. to India. It has impacted a Ukrainian international airport, and multinational shipping, legal and advertising firms. It has led to the shutdown of radiation monitoring systems at the Chernobyl nuclear facility.
Europol, the international law enforcement agency, could not provide operational details on the attack, spokesperson Tine Hollevoet told the E-Commerce Times, but it was trying to “get a full picture of the attack” from its industry and law enforcement partners.
Petya “is a demonstration of how cybercrime evolves at scale and, once again, a reminder to business of the importance of taking responsible cybersecurity measures,” Europol Executive Director Rob Wainwright said in a Wednesday update.
Unlike Wannacry, the Petya attack does not include any type of ‘kill switch,’ according to Europol.
The U.S. Computer Emergency Readiness Team on Tuesday began fielding numerous reports about the Petya ransomware infecting computers around the world, and noted that this particular variant encrypts the master boot records of Windows computers and exploits vulnerabilities in the Server Message Block.
The RANSOM_PETYA.SMA variant uses as infection vectors both the EternalBlue exploit, which was used in the WannaCry attack, and the PsExec tool, which is a Microsoft utility used to run processes using remote access, according to Trend Micro.
Users should apply the MS17-010 security patch, disable TCP port 445, and restrict accounts with administrator group access, the firm recommended.
The Petya variant uses the rundll32.exe process to run itself, and encryption is carried out using perfc.dat, a file located in the Windows folder, Trend Micro said. The ransomware adds a scheduled task and reboots the computer system after one hour. The Master Boot record is modified, allowing encryption to take place, and a ransom note is displayed with a fake CHKDSK notice.
The Petya exploit uses a hardcoded bitcoin address, making decryption more labor-intensive than it was during the WannaCry attack. However, users similarly are asked to pay US$300 to release the data. An estimated $7,500 had been paid as of Tuesday, Trend Micro estimated. However, that number could change as the attacks spread.
Many companies failed to upgrade their computer systems properly following the WannaCry attack, said Gaurav Kumar, CTO at RedLock.
WannaCry exploited legacy Windows systems that had not been patched, even though Microsoft issued an update in March, he told the E-Commerce Times.
Governments should mount coordinated efforts to fight cyberattacks, according to Access Now, an advocate for digital rights and privacy.
The Petya attack’s use of the EternalBlue exploit shows that government agencies should not be stockpiling vulnerabilities, the group argued, as the exploit has been linked to the Shadow Brokers’ leak of an exploit created by the National Security Agency.
“Governments should promote patching by developing and codifying vulnerabilities equities processes and through support of coordinated disclosure programs,” said Drew Mitnick, policy counsel at Access Now.
Pharmaceutical giant Merck & Co. on Tuesday confirmed that its computer network was compromised by the attack, and said it was investigating the matter.
International law firm DLA Piper confirmed that its advanced warning systems detected suspicious activity that apparently was linked to a new variant of the Petya malware. The firm said it had taken down its systems to prevent the spread, and that it had enlisted forensic experts and was cooperating with FBI and UK National Crime Agency investigators.
Advertising and public relations firm WPP said it was working with its IT partners and law enforcement agencies to take precautionary measures, restore services where they have been disrupted, and keep the impact on clients, partners and people to a minimum. The company has taken steps to contain the attack and is working to return to normal operations as soon as possible, while protecting its systems.