WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

UPDATE: This article was published in the first moments of the Petya/NotPetya ransomware outbreak. The article has been heavily redacted to correct initial data. Furthermore, Bleeping Computer has published separate articles regarding Petya/NotPetya's origin, the discovery of a vaccine that prevents the ransomware from taking root, and an email provider's decision to block the email address used by the crooks, and indirectly preventing victims from ever recovering their files. Updated article below.

There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of wowsmith123456@posteo.net and asks for a payment of $300 in Bitcoin.

At the time of writing, the ransomware outbreak is smaller than WannaCry, but the volume is "considerable," according to Costin Raiu, Kaspersky Labs researcher, and MalwareHunter, an independent security researcher.

The main culprit behind this attack is a new ransomware that researchers intially called Petya, because it resembled an oldr ransomware strain that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Later, it was discovered this is a new strain altogether, which researchers have started referring to as NotPetya or Petna. Because our initial article's title, we'll be using the name Petya through this article, but be aware this is a new ransomware strain that has some similarities with the original Petya, but is new in its own right.

New ransomware strain inspired by WannaCry

According to several sources, the author of the new ransomware stain appears to have been inspired by last month's WannaCry outbreak, and added a similar SMB work based on the NSA's ETERNALBLUE exploit. This has been confirmed by Payload Security, Avira, Emsisoft, Bitdefender, Symantec, and other security researchers. Later during the day, it was also discovered that Petya also used another NSA exploit called ETERNALROMANCE. More on this infection routine in a Kaspersky article here.

Petya's initial distribution vector was a tainted update for an accounting software package popular in the Ukraine. Bleeping Computer has published more info on the events that sparked the Petya outbreak in a separate article here.

Multiple incidents reported from across the globe

Currently, there are multiple reports from several countries about the ransomware's impact. The most affected country seems to be the Ukraine, where government agencies have reported "cyber-attacks" caused by a mysterious virus that affected the country's largest banks, airports, and utility providers.  Rozenko Pavlo, one of Ukraine's deputy prime ministers posted a photo on Twitter of a government PC locked by this ransomware strain.

Ransomware incidents have also been reported in other countries, such as the Netherlands, where Danish-based container transportation giant Maersk was forced to shut down some operations in Rotterdam. Maersk later confirmed the attacks on its website.

Similarly, in Spain, local media is reporting ransomware attacks at a large number of companies that include food conglomerate Mondelez and law firm giant DLA Piper.

In the UK, marketing firm WPP was affected, along with many others. The US didn't escape the Petya outbreak, and the first major victim to surface was pharma giant Merck, while in France, Saint-Gobain a manufacturer of construction materials was forced to shut down operations.

Russian oil giant Rosneft also admitted to cyber-incidents on Twitter but didn't clarify further. Overall, according to Kaspersky, Ukraine and Russia seem to be the most affected.

Petya doesn't have a killswitch

Reports are coming fast and furious from multiple sources now, all reporting Petya's virulent nature, with some people reporting that the ransomware has locked down hundreds of computers on the same network in a matter of minutes.

So far,the Petya authors have already pocketed seven ransom payments of 0.87 Bitcoin, worth nearly $2,000. This is quite a considerable sum, knowing that WannaCry took almost a full day to earn that much.

A past version of the Petya ransomware was decryptable, but we cannot confirm or deny at this stage that this version is also crackable. In the past, the author of the Petya ransomware, a crook named Janus Secretary, has offered a combo of the Petya and Mischa ransomware variants via a Ransomware-as-a-Service (RaaS) portal.

While WannaCry was stopped by a "killswitch" mechanism, this Petya version doesn't seem to be affected by such a weakness.

BTW, we can't stop this, there is no kill switch. :(

— 2sec4u NOT CISSP (@2sec4u) June 27, 2017

Below is a collection of tweets showing Petya's ever-expanding damage:

Supermarket in Kharkov, Ukraine:

Супермаркет в Харькове pic.twitter.com/H80FFbzSOj

— Mikhail Golub (@golub) June 27, 2017

ATM in Ukraine

Petya on an ATM. Photo by REUTERS.https://t.co/fDQ0nGyQc6 pic.twitter.com/gT2xQP9wAo

— Mikko Hypponen (@mikko) June 27, 2017

Kiev, Ukraine metro system

Друзі! Оплата банківськими картками наразі неможлива.
Хакерська атака. https://t.co/P6WoWORHlA

— Kyiv Metro Alerts (@kyivmetroalerts) June 27, 2017

Rotterdam port

#Nieuws: Rotterdamse containerterminal ligt plat door hack. O.a. 's werelds grootste rederij Maersk Line getroffen door grote cyberaanval. pic.twitter.com/liW1Tumrju

— Paul Henriquez (@OpiniePaultje) June 27, 2017

Company in India

All computers in our office are down. Global #Ransomware attack. I've heard few other companies affected too. Backup and stay safe, guys. pic.twitter.com/YNctmvdW2I

— Mihir (@mihirmodi) June 27, 2017

Merck pharma giant, US offices

Merck Pharma under global cyberattack - demanding bitcoin payments pic.twitter.com/GAjYkFXH80

— Jack Posobiec (@JackPosobiec) June 27, 2017

Saint-Gobain, French manufacturer of construction materials

Saint-gobain uk pic.twitter.com/PtHD031ccY

— The Animal (@AnimalDubz) June 27, 2017

IOCs:

Email address associated with infections:

wowsmith123456@posteo.net

Bitcoin address:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Targeted file extensions:

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.

Ransom note name:

README.TXT

Ransom note text:

Send your Bitcoin wallet ID and personal installation key to e-mail
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don\'t waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
Send $300 worth of Bitcoin to following address:

Does not encrypt files in this folder:

C:\Windows;

Image credits: David Montenegro