A new wave of apparent ransomware attacks is affecting businesses and IT departments across the globe, the latest in a string of infections this year.
Ukrainian firms were the first to report the malware, identified as Petya, on Tuesday, June 27, and it quickly spread throughout Europe and the United States.
We’re following the latest in the live blog at the end of this post.
Dozens of organizations have been impacted, including Ukraine’s state power firm, Russia’s oil company Rosneft, US pharmaceutical giant Merck, UK-based advertising agency WPP and others in Spain, France and elsewhere.
We confirm our company's computer network was compromised today as part of global hack. Other organizations have also been affected (1 of 2)
— Merck (@Merck) June 27, 2017
The Chernobyl nuclear plant in Ukraine reportedly switched to manual monitoring of radiation levels as a precaution.
The malware locks Windows users out of their systems and demands $300 in Bitcoin to decrypt the files, according to a screenshot Ukraine’s Channel 24 posted of a reportedly infected computer.
Kaspersky Lab said its preliminary findings suggest the malware is not Petya but a previously-unseen new variant.
— Kaspersky Lab (@kaspersky) June 27, 2017
Ransomware and obsolete systems
Petya was identified in March 2016 and updated earlier this year. BBC cited Andrei Barysevich, a spokesperson for the security firm Recorded Future, as saying the malware was for sale on multiple forums for as low as $22 over the last year.
Petya is based on the WannaCry and EternalBlue ransomware seen in 2016 and 2017. EternalBlue was derived from leaked NSA tools, and developed to exploit a number of back doors into vulnerable outdated systems. Cyber security experts explain that this is one of several reasons why maintaining a good backup and frequently updating systems is critical.
WannaCry was first leaked by a group called Shadow Brokers. The group released a number of hacking tools purportedly stolen from the US National Security Agency.
In the WannaCry attack, unpatched vulnerabilities in Microsoft operating systems allowed the malware to spread to more than 75 countries in a matter of hours.
Windows XP support ended on April 8, 2014, but some governments and companies still rely on the stable operating system. In December, a Freedom of Information request revealed that 90 percent of UK National Health Service trusts still use Windows XP, which no longer receives security updates.
But the new malware appears to be able to spread through systems even after they’re patched. It may also be able to exploit vulnerabilities not seen in the Shadow Brokers release.
Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit.
— Mikko Hypponen (@mikko) June 27, 2017
Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB).
US Computer Emergency Readiness Team statement