Update: As researchers learn more about the malware that quickly spread around the world earlier this week, it has become clear the malware wasn’t what it first appeared to be. According to Forbes, multiple security researchers have uncovered flaws in the code that indicate the ransomare now known as NotPetya was designed to cause destruction, not make money. Infected computers become unrecoverable due to the faulty encrpytion, and BleepingComputer reports that victims have stopped paying the ransom. Because Ukraine was a primary target in the attack, a popular theory now suggests that the attack could have been politically motivated.
Have you and your customers started to rest easy now that it’s been a month since the WannaCry ransomware attack hit more than 100 countries around the globe? Well, a new strain of Petya ransomware wants to change that.
And, let’s hope you and your customers all learned your lesson and got around to patching the EternalBlue vulnerability because this new strain is picking up where WannaCry left off.
The new outbreak began spreading quickly on Tuesday, initially hitting European countries hardest. According to Wired, the ransomware has been reported in Ukraine, Russia, India, France, Spain, and the UK. Ukraine has been hit particularly hard with vicitims including a variety infrastructure organzations such as power companies, airports, public transit, and the central bank. Even Rozenko Pavlo, one of Ukraine’s deputy prime ministers, appears to have been hit by Petya, posting a photo on Twitter of a computer locked by the malware.
Та-дам! Секретаріат КМУ по ходу теж “обвалили”. Мережа лежить. pic.twitter.com/B74jMsT0qs
— Rozenko Pavlo (@RozenkoPavlo) June 27, 2017
The most noteable U.S.-based company to be hit so far is Merck. The pharmaceutical giant announced early Tuesday morning that its network had fallen victim to a global hack.
We confirm our company’s computer network was compromised today as part of global hack. Other organizations have also been affected (1 of 2)
— Merck (@Merck) June 27, 2017
Differences from WannaCry
There’s a reason this feels a bit like déjà vu. The new Petya variant appears to be taking advantage of the same EternalBlue exploit that WannaCry used to spread so quickly back in May. A vulnerability that Microsoft patched back in April.
Like WannaCry and other ransomware variants, Petya locks down infected machines and demands that the victims pay $300 in BitCoin in order to unlock the encrypted files.
Several important differences have been discovered with the new malware strain so far:
- Petya initially targets the Master File Table, which, if it’s successfully encrpyted, prevents a system from booting properly until the ransom is paid, which makes the malware more dangerous.
- Petya has no kill switch. WannaCry included a number of errors and even a “kill switch” that researchers were able to use to stop the malware from spreading further, but Wired reports that Petya does not appear to have the same weaknesses.
Smaller than WannaCry?
The full impact of the Petya outbreak has yet to be seen as the outbreak continues to spread. So far, it seems to be somewhat smaller than WannaCry, which we hope is a sign that companies took the hint and patched after WannaCry.
As the Petya ransomware outbreak continues to spread, though, it’s obvious that not everyone got those patches taken care of. For MSPs, this news serves as yet another reminder that it’s time to check in with your customers and make sure that all their security patches are up to date. And, of course, that they have recent backups.
Hey folks, just wanted to check on something…
You did do backups, right? pic.twitter.com/QeO3N7vtHN
— Graham Cluley (@gcluley) June 27, 2017