A new ransomware outbreak utilizing a leaked NSA exploit is currently infecting computers across the globe, including those used to monitor radiation levels at Ukraine’s Chernobyl nuclear power plant.
Widely referred to as Peyta – though the attack is new and not a Peyta variant – the virus uses the same Windows SMB flaw that allowed last month’s WannaCry outbreak to spread so quickly.
The malicious software, which has thus far been detected in countries such as Russia, Ukraine, Poland, Spain, Italy, Germany, France, the UK and US, encrypts and alters critical system files before demanding $300 worth of Bitcoin.
Initially, nearly all antivirus programs were unable to detect the ransomware – which disguised itself as an approved Microsoft file.
Prominent victims include Denmark-based shipping firm Maersk, multinational law firm DLA Piper, medical facilities in Pittsburg as well as Ukraine’s central bank and the Chernobyl nuclear power plant.
The plant, which suffered a catastrophic nuclear accident in 1986, is still being decommissioned to this day.
According to a Ukranian newspaper, Chernobyl staff have been forced to begin monitoring radiation levels manually as their computers remain crippled. Vladimir Ilchuk, the plant’s shift director, said “excess levels of control” helped avert any potential radiation leaks.
Victims are being told not to pay the ransom as the email accepting Bitcoin payments – email@example.com – has been shutdown by the provider. Although Microsoft released a patch for the SMB vulnerability prior to the WannaCry outbreak, the exploit continues to be useful as countless computers have failed to apply the security update.
While Microsoft’s update will stop the ransomware from remotely infecting vulnerable computers with SMBv1 enabled, patched machines can still be hit if the virus makes its way into their network.
According to cybersecurity expert Matthew Hickey, co-founder of UK-based Hacker House, affected users can avoid having their files encrypted by turning off their computer when presented with the message below:
Amit Serper, a security researcher with Cybereason, similarly discovered a method to stop the malware on a compromised computer.
“While analyzing the ransomware’s inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk…” writes Bleeping Computer’s Catalin Cimpanu. “This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.”
As of publication, those responsible for the outbreak have received 3.15303437 BTC or roughly $7422.05.
Some analysts believe, given the timing of the attack, that the ransomware was used not for monetary gain but for instilling chaos in Ukraine specifically.
“In Ukraine tomorrow is a holiday – June 28 – Constitution Day,” Nick Bilogorskiy, senior director of threat operations at Cyphort, told CyberScoop. “Hackers are known to seed malware outbreaks right before the holidays, to make the recovery take longer.”
Security researcher “The Grugq” also notes that the ransomware authors, while sophisticated, made decisions that clearly inhibited their ability to quickly collect payment.
“Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline,” he writes. “There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)”
“Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’).”
“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.'”