UPDATE: This article was published in the first moments of the Petya/NotPetya ransomware outbreak. The article has been heavily redacted to correct initial data. Furthermore, Bleeping Computer has published separate articles regarding Petya/NotPetya's origin, the discovery of a vaccine that prevents the ransomware from taking root, and an email provider's decision to block the email address used by the crooks, and indirectly preventing victims from ever recovering their files. Updated article below.
There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of wowsmith123456@posteo.net and asks for a payment of $300 in Bitcoin.
At the time of writing, the ransomware outbreak is smaller than WannaCry, but the volume is "considerable," according to Costin Raiu, Kaspersky Labs researcher, and MalwareHunter, an independent security researcher.
The main culprit behind this attack is a new ransomware that researchers intially called Petya, because it resembled an oldr ransomware strain that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Later, it was discovered this is a new strain altogether, which researchers have started referring to as NotPetya or Petna. Because our initial article's title, we'll be using the name Petya through this article, but be aware this is a new ransomware strain that has some similarities with the original Petya, but is new in its own right.
New ransomware strain inspired by WannaCry
According to several sources, the author of the new ransomware stain appears to have been inspired by last month's WannaCry outbreak, and added a similar SMB work based on the NSA's ETERNALBLUE exploit. This has been confirmed by Payload Security, Avira, Emsisoft, Bitdefender, Symantec, and other security researchers. Later during the day, it was also discovered that Petya also used another NSA exploit called ETERNALROMANCE. More on this infection routine in a Kaspersky article here.
Petya's initial distribution vector was a tainted update for an accounting software package popular in the Ukraine. Bleeping Computer has published more info on the events that sparked the Petya outbreak in a separate article here.
Multiple incidents reported from across the globe
Currently, there are multiple reports from several countries about the ransomware's impact. The most affected country seems to be the Ukraine, where government agencies have reported "cyber-attacks" caused by a mysterious virus that affected the country's largest banks, airports, and utility providers. Rozenko Pavlo, one of Ukraine's deputy prime ministers posted a photo on Twitter of a government PC locked by this ransomware strain.
Ransomware incidents have also been reported in other countries, such as the Netherlands, where Danish-based container transportation giant Maersk was forced to shut down some operations in Rotterdam. Maersk later confirmed the attacks on its website.
Similarly, in Spain, local media is reporting ransomware attacks at a large number of companies that include food conglomerate Mondelez and law firm giant DLA Piper.
In the UK, marketing firm WPP was affected, along with many others. The US didn't escape the Petya outbreak, and the first major victim to surface was pharma giant Merck, while in France, Saint-Gobain a manufacturer of construction materials was forced to shut down operations.
Russian oil giant Rosneft also admitted to cyber-incidents on Twitter but didn't clarify further. Overall, according to Kaspersky, Ukraine and Russia seem to be the most affected.
Petya doesn't have a killswitch
Reports are coming fast and furious from multiple sources now, all reporting Petya's virulent nature, with some people reporting that the ransomware has locked down hundreds of computers on the same network in a matter of minutes.
So far,the Petya authors have already pocketed seven ransom payments of 0.87 Bitcoin, worth nearly $2,000. This is quite a considerable sum, knowing that WannaCry took almost a full day to earn that much.
A past version of the Petya ransomware was decryptable, but we cannot confirm or deny at this stage that this version is also crackable. In the past, the author of the Petya ransomware, a crook named Janus Secretary, has offered a combo of the Petya and Mischa ransomware variants via a Ransomware-as-a-Service (RaaS) portal.
While WannaCry was stopped by a "killswitch" mechanism, this Petya version doesn't seem to be affected by such a weakness.
BTW, we can't stop this, there is no kill switch. :(
— 2sec4u NOT CISSP (@2sec4u) June 27, 2017
Below is a collection of tweets showing Petya's ever-expanding damage:
Supermarket in Kharkov, Ukraine:
Супермаркет в Харькове pic.twitter.com/H80FFbzSOj
— Mikhail Golub (@golub) June 27, 2017
ATM in Ukraine
Petya on an ATM. Photo by REUTERS.https://t.co/fDQ0nGyQc6 pic.twitter.com/gT2xQP9wAo
— Mikko Hypponen (@mikko) June 27, 2017
Kiev, Ukraine metro system
Друзі! Оплата банківськими картками наразі неможлива.
— Kyiv Metro Alerts (@kyivmetroalerts) June 27, 2017
Хакерська атака. https://t.co/P6WoWORHlA
Rotterdam port
#Nieuws: Rotterdamse containerterminal ligt plat door hack. O.a. 's werelds grootste rederij Maersk Line getroffen door grote cyberaanval. pic.twitter.com/liW1Tumrju
— Paul Henriquez (@OpiniePaultje) June 27, 2017
Company in India
All computers in our office are down. Global #Ransomware attack. I've heard few other companies affected too. Backup and stay safe, guys. pic.twitter.com/YNctmvdW2I
— Mihir (@mihirmodi) June 27, 2017
Merck pharma giant, US offices
Merck Pharma under global cyberattack - demanding bitcoin payments pic.twitter.com/GAjYkFXH80
— Jack Posobiec (@JackPosobiec) June 27, 2017
Saint-Gobain, French manufacturer of construction materials
Saint-gobain uk pic.twitter.com/PtHD031ccY
— The Animal (@AnimalDubz) June 27, 2017
IOCs:
Email address associated with infections:
wowsmith123456@posteo.net
Bitcoin address:
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Targeted file extensions:
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
Ransom note name:
README.TXT
Ransom note text:
Send your Bitcoin wallet ID and personal installation key to e-mail
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because
they have been encrypted. Perhaps you are busy looking for a way to recover
your files, but don\'t waste your time. Nobody can recover your files without
our decryption service.
We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
Send $300 worth of Bitcoin to following address:
Does not encrypt files in this folder:
C:\Windows;
Image credits: David Montenegro
Comments
MattFipp - 6 years ago
"Furthermore, unlike WannaCry, there also appears to be a" (6th paragraph)
Appears to be a what, is it an important distinction?
Pugglerock - 6 years ago
Just saw this on The Daily Mail website. They're saying it's Wannacry.
Good to know Petya has evolved in some way.
Nikhil_CV - 6 years ago
Just got this update couple of hours ago.
Again!! :(
JohnC_21 - 6 years ago
"The main culprit behind this attack is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer."
So I assume a GPT disk would still boot but the files would be encrypted?
woody188 - 6 years ago
Maybe. If you shut down instead of reboot on the BSOD you might be able to pull the drive and access the data from another workstation. The MFT encryption typically doesn't happen until the reboot. Problem is most workstations are set to reboot automatically after a BSOD. You also might be able to carve the files yourself from a dump. Unclear if Mischa is active on this one.
asd - 6 years ago
There seems to be a Killswitch https://twitter.com/0xAmit
campuscodi - 6 years ago
We know. Story coming in a few minutes. Took a while to confirm with other researchers.