Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

NotPetya Ransomware Outbreak Hits Organizations Globally

Organizations worldwide are currently under a cyber-attack involving what was originally believed to be the year-old Petya ransomware, but now is being called “NotPetya” and seems to be a never before seen ransomware family.

Organizations worldwide are currently under a cyber-attack involving what was originally believed to be the year-old Petya ransomware, but now is being called “NotPetya” and seems to be a never before seen ransomware family.

 The attack already hit Ukraine central bank and Russian oil giant Rosneft. Government computers, airports, and large communication companies in Ukraine appear to have been affected as well. US biopharmaceutical giant Merck also confirmed that its network has been compromised as part of the global attack.

“Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as originally reported, but a new ransomware that has not been seen before,” the company said in a research note Tuesday afternoon. “That’s why we have named it NotPetya.”

Allan Liska, Intelligence Architect, Recorded Future, told SecurityWeek in an emailed statement Spain and France were also hit, and that the first victims in the United States have started to emerge. Other security researchers observed attacks in the UK and India, and expect the outbreak to spread to other countries too.

The massive spread comes only one month and a half after WannaCry affected hundreds of thousands of computers worldwide, spreading via a NSA-linked SMB exploit called EternalBlue. According to security company Avira, the currently unfolding attack is using the same exploit to spread like wildfire.

AlienVault also mentions the use of EternalBlue exploit, which was confirmed by Kaspersky Lab. According to Kaspersky, the malware leverages a modified EternalBlue exploit for propagation, at least within corporate networks. The ransomware “leverages ARP scans and PsExec to spread. PsExec is dropped as dllhost.dat,” AlienVault says.

Advertisement. Scroll to continue reading.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, a sample of the the newly observed ransomware variant he stumbled upon appears to have been compiled a week ago.

The ransomware variant used in this attack demands a $300 ransom from its victims, and the first payments appear to have been made to the hardcoded Bitcoin wallet it uses.

According to Recorded Future’s Liska, other payloads might also be used in the attack: “There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking trojan, it steals usernames and passwords as well as other personal data from the victim machine and sends it to a command and control host.  Which means this attack not only could make the victim’s machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion.’”

Mitigation

Unlike WannaCry, the NotPetya ransomware ware does not appear to have a “kill switch” built in by its developers, but Cybereason Principal Security Researcher Amit Serper discovered a work around solution that disables the the malware. “To activate the vaccination mechanisms users must locate the C:Windows folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting files,” Serper explained in a blog post.

The most imporant thing for companies to do in order to stay safe from NotPetya and other similar threats is patch their systems.

*Updated with additional details and information on not being original Petya malware. Headline updated accordingly. Additional reporting by Mike Lennon

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.