Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

NotPetya Ransomware Outbreak Hits Organizations Globally

Organizations worldwide are currently under a cyber-attack involving what was originally believed to be the year-old Petya ransomware, but now is being called “NotPetya” and seems to be a never before seen ransomware family.

Organizations worldwide are currently under a cyber-attack involving what was originally believed to be the year-old Petya ransomware, but now is being called “NotPetya” and seems to be a never before seen ransomware family.

 The attack already hit Ukraine central bank and Russian oil giant Rosneft. Government computers, airports, and large communication companies in Ukraine appear to have been affected as well. US biopharmaceutical giant Merck also confirmed that its network has been compromised as part of the global attack.

“Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as originally reported, but a new ransomware that has not been seen before,” the company said in a research note Tuesday afternoon. “That’s why we have named it NotPetya.”

Allan Liska, Intelligence Architect, Recorded Future, told SecurityWeek in an emailed statement Spain and France were also hit, and that the first victims in the United States have started to emerge. Other security researchers observed attacks in the UK and India, and expect the outbreak to spread to other countries too.

The massive spread comes only one month and a half after WannaCry affected hundreds of thousands of computers worldwide, spreading via a NSA-linked SMB exploit called EternalBlue. According to security company Avira, the currently unfolding attack is using the same exploit to spread like wildfire.

AlienVault also mentions the use of EternalBlue exploit, which was confirmed by Kaspersky Lab. According to Kaspersky, the malware leverages a modified EternalBlue exploit for propagation, at least within corporate networks. The ransomware “leverages ARP scans and PsExec to spread. PsExec is dropped as dllhost.dat,” AlienVault says.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, a sample of the the newly observed ransomware variant he stumbled upon appears to have been compiled a week ago.

The ransomware variant used in this attack demands a $300 ransom from its victims, and the first payments appear to have been made to the hardcoded Bitcoin wallet it uses.

According to Recorded Future’s Liska, other payloads might also be used in the attack: “There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking trojan, it steals usernames and passwords as well as other personal data from the victim machine and sends it to a command and control host.  Which means this attack not only could make the victim’s machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion.’”

Mitigation

Unlike WannaCry, the NotPetya ransomware ware does not appear to have a “kill switch” built in by its developers, but Cybereason Principal Security Researcher Amit Serper discovered a work around solution that disables the the malware. “To activate the vaccination mechanisms users must locate the C:Windows folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting files,” Serper explained in a blog post.

The most imporant thing for companies to do in order to stay safe from NotPetya and other similar threats is patch their systems.

*Updated with additional details and information on not being original Petya malware. Headline updated accordingly. Additional reporting by Mike Lennon

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.