A new ransomware outbreak utilizing a leaked NSA exploit is currently infecting computers across the globe, including those used to monitor radiation levels at Ukraine’s Chernobyl nuclear power plant.
Widely referred to as Peyta – though the attack is new and not a Peyta variant – the virus uses the same Windows SMB flaw that allowed last month’s WannaCry outbreak to spread so quickly.
The malicious software, which has thus far been detected in countries such as Russia, Ukraine, Poland, Spain, Italy, Germany, France, the UK and US, encrypts and alters critical system files before demanding $300 worth of Bitcoin.
— Kevin Beaumont (@GossiTheDog) June 27, 2017
Initially, nearly all antivirus programs were unable to detect the ransomware – which disguised itself as an approved Microsoft file.
Prominent victims include Denmark-based shipping firm Maersk, multinational law firm DLA Piper, medical facilities in Pittsburg as well as Ukraine’s central bank and the Chernobyl nuclear power plant.
The plant, which suffered a catastrophic nuclear accident in 1986, is still being decommissioned to this day.
According to a Ukranian newspaper, Chernobyl staff have been forced to begin monitoring radiation levels manually as their computers remain crippled. Vladimir Ilchuk, the plant’s shift director, said “excess levels of control” helped avert any potential radiation leaks.
— Ryan Clapham (@NewsReport365) June 27, 2017
We confirm some Maersk IT systems are down. The safety of our customers’ business and our people is our top priority. Updates to follow.
— Maersk Line (@MaerskLine) June 27, 2017
— Eric Geller (@ericgeller) June 27, 2017
— Anis (@0xUID) June 27, 2017
We confirm our company’s computer network was compromised today as part of global hack. Other organizations have also been affected (1 of 2)
— Merck (@Merck) June 27, 2017
— Mikko Hypponen (@mikko) June 27, 2017
Targeted in Ukraine cyberattack:
– Metro network
– Electric grid
– Ministry sites
– Media outlets
– State owned companies
— The Spectator Index (@spectatorindex) June 27, 2017
Victims are being told not to pay the ransom as the email accepting Bitcoin payments – email@example.com – has been shutdown by the provider. Although Microsoft released a patch for the SMB vulnerability prior to the WannaCry outbreak, the exploit continues to be useful as countless computers have failed to apply the security update.
— haveibeencompromised (@HIBC2017) June 27, 2017
While Microsoft’s update will stop the ransomware from remotely infecting vulnerable computers with SMBv1 enabled, patched machines can still be hit if the virus makes its way into their network.
If #Petya gets in, you are in for a ride. It is using WMIC and PSEXEC to laterally pivot and infect patched systems. Just like a pentester.
— Carbon Dynamics (@CarbonDynamics) June 27, 2017
According to cybersecurity expert Matthew Hickey, co-founder of UK-based Hacker House, affected users can avoid having their files encrypted by turning off their computer when presented with the message below:
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6
— Hacker Fantastic (@hackerfantastic) June 27, 2017
Amit Serper, a security researcher with Cybereason, similarly discovered a method to stop the malware on a compromised computer.
copy NUL C:\Windows\perfc.dat pic.twitter.com/XxrBzkfRgG
— Florian Roth (@cyb3rops) June 27, 2017
“While analyzing the ransomware’s inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk…” writes Bleeping Computer’s Catalin Cimpanu. “This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.”
As of publication, those responsible for the outbreak have received 3.15303437 BTC or roughly $7422.05.
— zerosum0x0 (@zerosum0x0) June 27, 2017
Some analysts believe, given the timing of the attack, that the ransomware was used not for monetary gain but for instilling chaos in Ukraine specifically.
“In Ukraine tomorrow is a holiday – June 28 – Constitution Day,” Nick Bilogorskiy, senior director of threat operations at Cyphort, told CyberScoop. “Hackers are known to seed malware outbreaks right before the holidays, to make the recovery take longer.”
Security researcher “The Grugq” also notes that the ransomware authors, while sophisticated, made decisions that clearly inhibited their ability to quickly collect payment.
“Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline,” he writes. “There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.)”
“Predictably, within hours the email address had been disabled by the service provider. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of ‘send a personal cheque to: Petya Payments, PO Box …’).”
“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.'”