A massive new ransomware attack similar to the devastating WannaCry virus is hitting corporate and government targets across Europe and Russia, from the A.P. Moller-Maersk shipping line to Russia’s Rosneft oil company.
Warnings of the new virus, named “Petya,” began spreading Monday night into Tuesday morning. Antivirus experts at Kaspersky Labs told Forbes they were monitoring thousands of infection attempts, “comparable in size to WannaCry’s first hours.”
According to Forbes, the infection was initially most severe in Ukraine, striking large energy companies, banks, transportation hubs, and government computer systems, including the postal system and the personal computer of Deputy Prime Minister Pavlo Rozenko.
Various Ukrainian authorities gave assurances their IT departments were working on the problem and warned of such inconveniences as delayed airline flights and the temporary inability to accept bank card payments.
Bloomberg Technology reported over 80 companies in Russia and Ukraine were affected by Petya as of Tuesday morning. Interior Minister Anton Gerashchenko called it the biggest cyber attack in Ukraine’s history and said its goal was “the destabilization of the economic situation and in the civic consciousness of Ukraine,” disguised as an extortion racket with a $300 ransom demanded for each infected machine.
Gerashchenko is not alone in voicing these suspicions, as Forbes also cites experts who believe the Petya outbreak might have begun as a targeted attack on Ukraine or might be a ransomware smokescreen for carefully planned cyber-espionage. The WannaCry virus, which was curiously lax about collecting the surprisingly small ransom for an unprecedented global attack, has been blamed on North Korean hackers. Ukraine has fingered Russia as the culprit for previous cyber attacks against it.
Petya spread to hit such targets as Russia’s Rosneft oil company and Maersk, which acknowledged on Tuesday morning that its computer systems were down across several business units:
We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.
— Maersk (@Maersk) June 27, 2017
According to Bloomberg Technology, Maersk units affected by the attack include “a major port operator and an oil and gas producer,” and customers are currently unable to use Maersk’s online booking tools. The UK Guardian adds that seventeen shipping container terminals used by a Maersk subsidiary, APM Terminals, have been affected.
Kaspersky Labs first discovered the Petya ransomware in May 2016, describing it as a “notable example of the Ransomware-as-a-Service model” because the creators of the virus sell it to other hackers and take a cut of their illicit profits. This iteration of the virus was designed in such a way that only authorized users were able to activate and deploy the malware code.
As of Kaspersky’s initial report, the infection process and ransomware screen greeting victims of the Petya virus looked like this:
This version of Petya was distributed primarily through spam emails with toxic Dropbox links, which Dropbox has since neutralized, according to Kaspersy analysts. The virus payload attacked the boot portion of the targeted hard drive so that Petya effectively replaces the computer’s operating system, masquerading as the Windows “checkdisk” program while it’s running amok and taking the user’s data hostage. This seems consistent with the reports from Petya victims, such as the Ukrainian Deputy Prime Minister.
Unfortunately, the new version of Petya incorporates the ETERNALBLUE exploit stolen from the National Security Agency by hackers to propagate itself, the very same weaponized malware that allowed WannaCry to spread so quickly. According to a report at Bleeping Computer, the new strain of Petya also spreads itself with booby-trapped Microsoft Office documents attached to spam email.
Dismayingly, but unsurprisingly, the hackers who unleashed Petya made sure it does not contain the sort of “kill switch” that allowed a quick-thinking security expert to blunt the spread of WannaCry soon after it was discovered. Bleeping Computer’s report states that Petya is accumulating ransom payments in Bitcoin much faster than WannaCry did.