Maersk Confirms Ransomware Containment

Written by

Shipping and freight company Maersk has confirmed that it has contained the ransomware infection, and is working on a technical recovery plan.

The company was reportedly one of the first to have been infected, along with other Ukrainian businesses including the airport, central bank and metro system.  

In a statement posted on Twitter, Maersk said: “We have shut down a number of systems to help contain the issue. At this point our entities Maersk Oil, Maersk Drilling, Maersk Supply Services, Maersk Tankers, Maersk Training, Svitzer and MCI are not operationally affected. Precautionary measures have been taken to ensure continued operations.

“Maersk Line vessels are maneuverable, able to communicate and crews are safe. APM Terminals is impacted in a number of ports.

“We continue to assess and manage the situation to minimize the impact on our operations, customers and partners from the current situation. Business continuity plans are being implemented and prioritized. The aggregate impact on our business is being assessed.”

In terms of the type of ransomware used, after it was claimed that the ransomware was the Petya variant and this was swiftly dismissed by Kaspersky Lab, researcher Marcus Hutchins, who detected the kill switch in May’s global WannaCry infection, posted on Malware Tech that the jury “is still out on whether the malware is Petya or something that just looks like it (it messes with the Master Boot Record in a way which is very similar to Petya and not commonly used in other ransomware)”.

Research by Bitdefender confirmed that the ransomware is ‘NotPetya’, and is the GoldenEye variant which “is an improved version of Petya” as it “encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer."

It said: “In other words, this new variant combines components from Petya, WannaCry and previous versions of GoldenEye, making it, in fact, a new threat.”

Hutchins said that the important difference between WannaCry and Petya is that WannaCry was likely deployed onto a small number of computers and then spread rapidly, whereas Petya seems to have been deployed onto a large number of computers and spread via local network. “Therefore, in this instance there is low risk of new infections more than one hour after the attack (the malware shuts down the computer to encrypt it one hour after execution, by which time it will already have completed its local network scan),” he said.

While WannaCry was spread entirely using the SMBv1 exploit EternalBlue, Hutchins said that had the WannaCry “kill switch” not been activated or not existed at all, the attack would have continued to spread indefinitely across the entire internet. “The Current Petya attack is different in the sense that the exploits it uses are only used to spread across a local network rather than the internet (i.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected),” he explained.

“Due to the fact networks are of limited size and fairly quick to scan, the malware would cease spreading once it has finished scanning the local network and therefore is not anywhere near as infectious as WannaCry, which still continues to spread (though is prevented from activating via the ’kill switch’).”

At the time of writing, 40 payments have been made to the Bitcoin wallet displayed on the infection screen.

What’s hot on Infosecurity Magazine?