A new ransomware attack created computer chaos worldwide on Tuesday, infecting massive banks, law firms, shipping companies, and even nuclear facility Chernobyl.
The outbreak—dubbed both GoldenEye and Petya by researchers—is being compared to WannaCry. While antivirus firms and IT departments struggle to get the outbreak under control, there’s still some debate about how it works and how it spreads. But in some ways, the virus is even more powerful, and more nasty, than WannaCry.
The list of victims is impressive, and alarming. According to security firm Bitdefender, they include: “Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.”
Petya is both more viral and more nasty because it doesn’t rely only on the so-called Eternal Blue vulnerability to spread—that’s the flaw found by the NSA that was leaked and powered WannaCry. Once a machine on a network is infected, Petya can use a Windows utility tool to spread to other machines, even if they are patched against Eternal Blue, according to security firm BeyondTrust. It also appears to arrive at many infected firms via phishing.
“Petya is different and could be much worse,” said Morey Haber, vice president of technology at BeyondTrust.”The main takeaway is that WannaCry only had one method to propagate. If a resource was patched, SMB was not exposed to the internet, or the user was running a modern OS (like) Windows 10, the ransomware threat was mitigated. Petya builds on top of this by initially deploying in mass via email and it only takes one system to begin the infection.”
Victims see a message warning that their files are inaccessible, and can only be restored by paying $300 in bitcoins.
“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the virus message says.
Petya is also nasty because in addition to encrypting files, it also encrypts the infected computer’s master boot record, making recovery even more difficult.
The U.S. Department of Homeland Security said it is monitoring the situation. While there are reports of individual U.S. companies being hit, infections appear more prevalent in Europe.
“US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world,” said DHS in a statement. “Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”
Petya was actually initially discovered in 2015; most analysts say it was updated after WannaCry’s success. Others are calling the attack an entirely new piece of malware.
The outbreak is yet another sign U.S. security is unprepared for the kinds of cybver-attacks that are becoming more common.
“Organizations are still not patching in a timely manner across all assets, especially users), and end user still have administrative rights,” Haber said. “The combination is how Petya is becoming a devastating threat and making organizations realize the strategy of patching servers only is not acceptable.”
This article originally appeared on BobSullivan.net.
