A new ransomware attack similar to the WannaCry malware released last month was launched Tuesday, targeted first at governmental networks in Ukraine and Russia and then spread quickly to companies including Russian oil giant Rosneft and U.K. advertising firm WPP. Cybersecurity experts say the attack is a new form of the Petya ransomware that exploits a vulnerability in Microsoft Windows for which the company released a patch in March of this year.
The attack locks a computer’s hard drive and displays a message demanding payment of $300 in Bitcoin in order to obtain a key to unlock the drive.
Among the most affected companies is Danish shipping firm AP Moller-Maersk, the world’s largest container shipping company, which said customers are unable to use the firm’s online booking tools and that internal computing systems have closed down. Affected ports include the Port of New York and New Jersey, the largest port on the east coast, and Europe’s largest harbor at Rotterdam.
According to cybersecurity website KrebsOnSecurity, Symantec has confirmed that the Petya malware uses an exploit called “Eternal Blue” that is believed to have been developed by the U.S. National Security Agency and was leaked online in April by a hacker group that calls itself the Shadow Brokers.
Microsoft released a patch for the exploit in March, but many companies have apparently failed to apply the patch, and among those were firms and individuals hit by the WannaCry malware attack in mid-May.
Nicholas Weaver, a security expert at the University of California, Berkeley, told KrebsOnSecurity that the Petya virus was “well-engineered to be destructive while masquerading as a ransomware strain.” The ransom note uses the same Bitcoin address for all victims, unlike most ransomware attacks that create a unique payment address for each victim. Petya also gives victims an email address with which to communicate with the attackers, again unlike other ransomware attacks that specify that victims use the Tor network which anonymizes communications.
I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware. The best way to put it is that Petya’s payment infrastructure is a fecal theater.
Security firm Kaspersky Labs said their review showed that at least 2,000 organizations had been hit by the attack, but that the malware is “completely new and not seen previously,” according to a report at DarkReading. Other researchers said the malware is a variant of Petya known as “Golden Eye.”