Advertisment

Another ransomware, Petya is spreading like wildfire across globe

author-image
CIOL Writers
New Update
ransomware kaspersky x e

Barely a month after WannaCry ransomware attack crippled the businesses across the globe, a new cyber attack hit companies in Europe, the Middle East and the US on Tuesday. Dubbed 'Petya,' the ransomware has caused serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain, Russian steel and oil firms Evraz and Rosneft, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.

Advertisment

According to John Miller, Senior Manager, Analysis, FireEye, Petya does not encrypt individual files on victims' systems, but instead overwrites the master boot record (MBR) and encrypts the master file table (MFT), which renders the system inoperable until the ransom has been paid. The malware contains a dropper, custom boot loader, and a small Windows kernel that executes additional encryption routines.

Advertisment

This is the second major global ransomware attack in the last two months. In early May, another global cyber attack, WannaCry, based on stolen US National Security Agency’s surveillance tools engulfed over 150 countries affecting tens of thousands of machines worldwide, that included Spanish telecommunications giant Telefónica, operations at the Russian Interior Ministry, and Britain’s National Health Services (NHS), where hospitals were disrupted and medical procedures were stalled.

Petya or NotPetya

A variant of the Petya ransomware, which has been around for more than a year, is being blamed for Tuesday's global attack. Petya is a vicious form of the virus that locks a computer's hard drive as well as individual files stored on it. It is harder to recover information from computers affected by this ransomware, which can also be used to steal sensitive information.

Advertisment

“The latest ransomware attacks are demonstrating just how vulnerable critical infrastructure is by hitting railways, airports, hospitals and more. The lines between nation-state defense and commercial defense continue to blur. Forcepoint identified that the ransomware spread laterally within an organization via a vulnerability in the Microsoft SMBv1 protocol, very similar to what we saw with WannaCry. The Petya variant ultimately reboots the machine, presenting a faked ‘check disk’ screen, and showing the ransom message. The reboot and subsequent messages are typical of previously observed Petya behavior," said Matt Moynahan, CEO of Forcepoint in a statement.

Cyber security experts at Kaspersky Lab, however, released a conflicting report that said the ransomware was not related to Petya but was, in fact, a new program they called 'NotPetya.' According to them, the ransomware appears to employ a forged Microsoft digital signature that exploits a Microsoft Office vulnerability that security firm FireEye discovered in April.

The attack was first reported in Ukraine, where the government, banks, state power utility and Kiev’s airport and metro system were all affected. Computers running the most recent update of Microsoft's software should be safe from the attack. Users are advised to check they have installed the latest version of Windows and refrain from clicking on malicious links.

ransomware cyber-security