Companies in the UK, USA and across Europe are reported to have been infected with the widely-reported ransomware.
While research by Kaspersky Lab has claimed that this is not the Petya variant, as reported earlier, but instead is a brand new variant, companies including US pharmaceutical Merck, law firm DLA Piper and a hospital in Pittsburgh, and UK digital advertising firm WPP are among those who have been affected.
Becky Pinkard, vice president of service delivery and intelligence at Digital Shadows, said: “There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilizes the EternalBlue SMBv1 worm functionality. More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up.”
At the time of writing, the Bitcoin wallet associated with this attack showed 27 payments had been made; all of which were made today.
Brian Hussey, VP of cyber threat detection and response at Trustwave, said: “This version is a much more advanced approach that requires a sophisticated skillset in programming and truly renders everything on the victim’s computer fully inaccessible. It does not just encrypt user files on the existing Operating System, rather it launches a custom bootloader that encrypts the Master File Table and the Master Boot Record, as well as system files. It restarts the computer and launches directly into the Petya bootloader, thereby cutting any access to the Operating System (or any files) at all, until the ransom is paid and the computer can go back to booting normally.
“Original versions of Petya released in 2016 showed programming errors that allowed a security analyst to decode the ransomed files. This issue was fixed in recent versions of the malware and I wouldn’t expect this to be present in current versions”
However Kaspersky Lab researchers said that its preliminary findings suggested that it is not Petya. It said: “This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.”
In terms of how it infected business, early analysis suggested that it uses a combination of the EternalBlue vulnerability that was used for the WannaCry ransomware in May, as well as Windows Management Instrumentation Command-line (WMIC) and the PsExec tool.
Also, it was reported that Posteo administrators have disconnected the email address associated with paying the ransomware. Pinkard said: “This means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so.”