In what some believe will turn out to be an even larger attack than last month’s devastating WannaCry, a new ransomware called Petya is making the rounds in Europe and wreaking havoc with the digital systems of multiple organisations.
Heavily concentrated in Russia and Ukraine, Petya infections have also been seen across Europe at large, with reports coming in from Denmark and Spain – and even the US, which may indicate the potential for a greater spread across the world. Ukraine seems to be the worst hit, though, with not only businesses in the country seeing their systems lock down but also important governmental organisations, like the Central Bank, state telecom, municipal metro and even the Boryspil Airport in Kiev.
Some of the larger organisations currently known as being affected are Danish shipping giant Maersk and Russia’s largest oil producer, Rosneft.
[HOT] New Petya (MBR #ransomware) “loaded” with #ETERNALBLUE SMBv1 worm functionality (see ARP scan indicator): https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 …
Researchers at Kaspersky Lab have indicated this strain of the ransomware is called Petrwrap, which is a modified version of Petya, malware they identified in March. While not a lot is known about the technical details of Petya, security firms Avira and Payload Security have claimed it uses the same EternalBlue exploit that was found in WannaCry, and which Microsoft had issued a fix for months ago. Even the defunct Windows 8, XP and Server 2003 received emergency patches.
Early reports on Twitter indicate the hackers are demanding a sum of around $300 in Bitcoin for the decryption key. Currently, only eight payments have been made and if the pattern we observed with WannaCry holds true, while widespread, the ransomware scheme may not yield much money for the attackers as most users chose not to pay in that instance.