Dozens of organizations have reported computer outages due to cyber attacks that appear to come from ransomware that uses the same Windows exploit as WannaCry.
Following initial reports of affected systems in Russia and the Ukraine on Tuesday, organizations from the UK, Denmark, Spain, France, and the US reported similar attacks on computer systems.
Affected computers display a message in telling the user their files have been encrypted and instructing them to pay around $300 in Bitcoin for a decryption key that, until recently, could have been delivered from an email account hosted on German privacy-focussed email provider Posteo. The firm decided to block the account, meaning victims can't regain access to files even if they do chose to pay.
The attack has hit several huge organizations. Danish shipping giant Maersk said on Twitter that IT systems at multiples sites around the world were under attack.
“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack,” it said.
Maersk’s port operator APM Terminals was also affected, resulting in the closure of 17 shipping container terminals, Reuters reported. Maersk is the world’s largest shipping company.
DLA Piper, one of the world's largest law firms, confirmed it was also affected. “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible."
Other firms affected include UK media agency, WPP, Russian oil firm Rosneft, and several government organizations in the Ukraine, including the agency responsible for monitoring the Chernobyl nuclear plant, which reverted to manually monitoring radiation due Windows system shutdowns.
Ukraine’s National Bank posted a warning to members of the nation’s financial sector over an “unknown virus” affecting several Ukrainian banks. It noted that the nation’s online payments system was however still operational.
According to Kaspersky Lab researcher Costin Raiu, computers in Ukraine are bearing the brunt of this outbreak, followed by Russia, Poland, Italy and Germany. Russian security firm Group-IB said 80 companies, mostly Ukrainian, are affected, including banks, state-owned enterprise, and telecoms operators.
Security researchers initially believed the ransomware behind the outbreak was Petya or a variant of it. Petya was notable for encrypting the whole entire hard disk or Master Boot Record rather than just the files on local drives.
However, Kaspersky Lab has said it’s a previously unseen strain of ransomware, which, due to the earlier analysis, is now being called "NotPetya". British security researcher Kevin Beaumont concurred with Kaspersky's finding, noting that it did share similarities with Petya but sufficiently different to label it as something else.
There’s no disagreement however that NotPetya is spreading with the same Windows exploit used to spread WannaCry ransomware in May. However this strain is more dangerous than WannaCry because, for example, there is no “killswitch”, which allowed a researcher to neuter the threat by registering a domain before it could infect more computers. WannaCry also lacked a way to track payments from different victims.
“WannaCry had all kinds of stupid bugs and issues (hi killswitch). This has no killswitch, and it looks like they had a development budget,” said Beaumont in a tweet.
The exploit itself, known as EternalBlue, was developed by the National Security Agency and leaked by hacking group TheShadowBrokers. The exploit targets the Windows implementation of the SMB file-sharing protocol. Microsoft released a patch for the bug in March, and following the WannaCry outbreak, provided a public patch for unsupported Windows XP.
It’s still unknown exactly how computers are being infected in the first instance, though some security firms claim the first contact is email. As noted by Dutch security firm Fox IT, one method WannaCry spread across networks was by scanning random IP address on the internet for vulnerable Windows systems whereas this ransomware only scans internal hosts.
The reason Ukraine systems have been hit hard could be due to a compromised update system of MeDoc, a Ukrainian account package, according to Cisco’s Talos security team.
MeDocs confirmed it had been hacked. In May it warned of a similar WannaCry-like attack on the companies via a corrupt version of its software, but claimed at the time that its software was vetted by antivirus companies.
Companies that have been infected should not attempt to pay the Bitcoin account displayed in the message. Besides the general advice not to pay ransomware attackers, the email account that victims are told to use to receive the decryption key has now been disabled.
As reported by Motherboard, German email provider Posteo has disabled the attacker's account. The message instructed victims who had paid to confirm their payment by emailing their bitcoin wallet ID to the attackers at the address "firstname.lastname@example.org". Now the account has been blocked, victims who are willing to pay cannot receive the decryption key from the attackers.