Multiple businesses in the Ukraine have been hit by a new ransomware variant, said to be related to the Petya family.
According to early reports, freight company Maersk is among those who have confirmed that its IT systems are down “across multiple sites and business units”. Also affected are reportedly the banks, power grid companies including the state-owned Ukrenergo and Kyivenergo, postal service, government, media, airport and cell providers.
A Ukrenergo spokesperson told Forbes that power systems were unaffected, saying: "On June 27, a part of Ukrenergo's computer network was cyber-attacked. Similarly, as it is already known with the media, networks and other companies, including the energy sector, were attacked. Our specialists take all the necessary measures for the complete restoration of the computer system, including the official [website]."
A picture of an infected PC was posted by Kiev Metro Alerts, which tells the victim that “your files are no longer accessible, because they have been encrypted” and that ‘nobody can recover your files without our decryption service’ which comes at a cost of $300 worth of Bitcoin.
According to early research by BitDefender, the variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents the victim’s computers from being booted up in a live OS environment and retrieving stored information or samples.
Research by Kaspersky Lab has revealed this to be a variant of the Petya ransomware, which returned with a rebranded version named GoldenEye in 2016.
According to F-Secure, instead of encrypting files on disk, Petya will lock the entire disk, rendering it pretty much useless. “Specifically, it will encrypt the file system’s master file table (MFT), which means the operating system is not able to locate files,” researchers claimed.
“It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system. Going after the MFT is a fast attack that takes far less time than encrypting data files, but the overall affect is the same – the data becomes inaccessible.”
Allan Liska, intelligence architect at Recorded Future, said: “‘This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine. The payload of the phishing attack is twofold: an updated version of the Petya ransomware (older version of Petya are well-known for their viciousness, rather than encrypt select files Petya overwrote the master boot record on the victim machine, making it completely inoperable).
“There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to the Ukraine). Our threat intelligence also indicated that we are now starting to see US victims of this attack.
“There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking Trojan, it steals usernames and passwords as well as other personal data from the victim machine and sends it to a command and control host. Which means this attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion.”