A new strain of malware began infecting computer systems across the globe on Tuesday. Similar to the WannaCry ransomware that struck last month, the malware used in this week’s attack spreads quickly across multiple computers on a network, encrypting files and displaying a ransom note that requests $300 worth of bitcoin for a decryption key.
Reports of infection began in Ukraine, where computer systems belonging to government ministries, financial institutions, transportation systems, and major energy companies began malfunctioning. The attack was first believed to be caused by a variant of the “Petya” strain of ransomware, however recent reports from security experts indicate that the malware used during this week’s attack was altered so that, even with a decryption key, encrypted files cannot be recovered. This fact has lead several sources to dub the malware “ExPetr” and speculate that the attacker’s motivations were destructive instead of financial.
In addition to targeting organizations through the use of phishing emails, the attacker also reportedly compromised an automatic software update provided by the Ukrainian tax preparation software M.E.Doc in order to deliver the malware.
Like WannaCry, Petya/ExPetr uses an exploit called “EternalBlue” that the NSA developed as a cyber-spying tool and which was posted publicly by Wikileaks earlier this year. EternalBlue takes advantage of a weakness in the Microsoft Windows operating system that allows the malware to spread quickly from computer to computer in a network, encrypting files along the way.
Microsoft issued a patch for the Windows vulnerability in March 2017. Then, following the WannaCry attack in May, Microsoft released additional security updates and encouraged all customers to update their systems.
Unlike WannaCry, however, Petya/ExPetr is also capable of extracting administrator credentials from a machine’s memory or local filesystem, which may then be used to move to other machines on a network and spread encryption. This can occur whether or not those other machines have been patched for the EternalBlue vulnerability. As a result, companies and organizations with only a single unpatched computer would be vulnerable to attack.
Also unlike WannaCry, no universal “kill switch” exists to stop the malware from spreading. In May, during the early hours of the WannaCry outbreak, a computer security researcher discovered that the WannaCry ransomware was communicating out to a nonexistent web URL just before spreading to a new machine on the network. Once the researcher registered the domain and the URL was live, the ransomware could successfully communicate with the web page and stopped spreading. Although subsequent strains were altered to remove this code, the initial discovery of the WannaCry kill switch slowed the spread of the attack. Thus far, no universal kill switch exists to stop the spread of Petya/ExPetr.
Ransom Payments Ineffective
Once infected, computers display a ransom note demanding $300 in bitcoin and instructing users to contact an email address to obtain the decryption key. Shortly after the attack began on Tuesday, however, the German email provider for the account took the email address offline, eliminating the possibility of communication with the attacker.
Further, security researchers who analyzed the Petya/ExPetr malware found that even if companies were able to communicate with the hacker to obtain a decryption key, the files and systems encrypted during this week’s attack cannot be recovered. At the time of posting, only 3.99 bitcoins had been paid to the attacker’s bitcoin wallet, which totals approximately $10,300.
Known Affected Organizations
Kaspersky Lab reports that over 2,000 organizations were targeted in the global attack. Most of the affected organizations are in Ukraine and Russia, but the malware also spread to organizations in the UK, Germany, France, Italy, the US, Belarus, Israel and Poland. The National Cyber Security Center in London issued a statement acknowledging the threat and instructing organizations to review guidance on responding to ransomware.
Ukraine appears to the be the hardest hit, with many state-run organizations and government entities reporting system failures and other issues. Local ministry computers and ATMs for Oschadbank, Ukraine’s state-run bank, displayed the ransom note, while some transportation and metro systems experienced significant delays.
The attack also spread to many European and global companies, including international law firm DLA Piper, UK-based advertising firm WPP, and global pharmaceutical company Merck. The manufacturing industry suffered from several infections, including at the Russian steel manufacturer Evras and Ukrainian aircraft manufacturer Antonov.
In the energy sector, Russian oil giant Rosneft and its subsidiary Bashneft were affected, forcing the company to move to a reserve oil production system. Automatic monitoring systems at the Chernobyl nuclear power plant were also taken offline by the attack, requiring workers to manually monitor conditions at the plant.
Perhaps the most significant global effects of the attack were felt in the shipping industry. Computer systems at Danish shipping company A.P. Moller-Maersk were taken offline, affecting ports and sea shipments around the world. Port terminals run by various divisions of Maersk in the United States, India, Spain, and the Netherlands experienced massive disruptions to IT systems, delaying deliveries and upsetting supply chains for the entire week.
The Petya/ExPetr attack serves as a reminder that cyberattacks can affect more than just computer systems. In addition to developing robust cybersecurity policies and procedures, infrastructure, energy and manufacturing companies should also ensure that critical electronic processes and functions may be completed manually in the event of a large-scale cyber event or computer system malfunction. Also, review our general recommendations regarding legal issues and the response to mass cyber events like the Petya/ExPetr and WannaCry attacks.
Norton Rose Fulbright’s global data protection team is available to assist companies that believe they may be subject to a ransomware attack and to help companies prepare to guard against ransomware and malware attacks. For more information, please visit our website.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.