/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2017/05/ransomware-kaspersky-825x510.jpg)
Barely a month after WannaCry ransomware attack crippled the businesses across the globe, a new cyber attack hit companies in Europe, the Middle East and the US on Tuesday. Dubbed 'Petya,' the ransomware has caused serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain, Russian steel and oil firms Evraz and Rosneft, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.
New #ransomware spreading through SMB... Its #rebooting OS and encrypting files. Any idea which one it is? pic.twitter.com/DaEyqIKBvH
— Ankit singh (@ankit5934) June 27, 2017
According to John Miller, Senior Manager, Analysis, FireEye, Petya does not encrypt individual files on victims' systems, but instead overwrites the master boot record (MBR) and encrypts the master file table (MFT), which renders the system inoperable until the ransom has been paid. The malware contains a dropper, custom boot loader, and a small Windows kernel that executes additional encryption routines.
This is the second major global ransomware attack in the last two months. In early May, another global cyber attack, WannaCry, based on stolen US National Security Agency’s surveillance tools engulfed over 150 countries affecting tens of thousands of machines worldwide, that included Spanish telecommunications giant Telefónica, operations at the Russian Interior Ministry, and Britain’s National Health Services (NHS), where hospitals were disrupted and medical procedures were stalled.
Petya or NotPetya
A variant of the Petya ransomware, which has been around for more than a year, is being blamed for Tuesday's global attack. Petya is a vicious form of the virus that locks a computer's hard drive as well as individual files stored on it. It is harder to recover information from computers affected by this ransomware, which can also be used to steal sensitive information.
“The latest ransomware attacks are demonstrating just how vulnerable critical infrastructure is by hitting railways, airports, hospitals and more. The lines between nation-state defense and commercial defense continue to blur. Forcepoint identified that the ransomware spread laterally within an organization via a vulnerability in the Microsoft SMBv1 protocol, very similar to what we saw with WannaCry. The Petya variant ultimately reboots the machine, presenting a faked ‘check disk’ screen, and showing the ransom message. The reboot and subsequent messages are typical of previously observed Petya behavior," said Matt Moynahan, CEO of Forcepoint in a statement.
Cyber security experts at Kaspersky Lab, however, released a conflicting report that said the ransomware was not related to Petya but was, in fact, a new program they called 'NotPetya.' According to them, the ransomware appears to employ a forged Microsoft digital signature that exploits a Microsoft Office vulnerability that security firm FireEye discovered in April.
Kaspersky Lab analysts say new attacks are not a variant of #Petya ransomware as publicly reported, but a new ransomware they call NotPetya! pic.twitter.com/zLwKNOR2VL — Anis (@0xUID) June 27, 2017
The attack was first reported in Ukraine, where the government, banks, state power utility and Kiev’s airport and metro system were all affected. Computers running the most recent update of Microsoft's software should be safe from the attack. Users are advised to check they have installed the latest version of Windows and refrain from clicking on malicious links.