Another global ransomware attack underway as reports of Petya exploit spread

Latest cyber attack appears to be based on the same EternalBlue exploit used by the WannaCry ransomware that hit the NHS in May.

Organisations in Europe and the UK have already been affected with another major ransomware outbreak which is happening around the globe.

To begin with the new ransomware attack was announced as Petya, according to Symantec it is based on the same EternalBlue exploit used by the WannaCry attack which hit the NHS last month (May 2017). However, very recent reports from researchers at Kaspersky Lab are suggesting it might not be the modified version of Petya, they did however confirm it is based on EternalBlue.

This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network,” said Kaspersky in a tweet.

Kaspersky are indicating that around 2,000 users were attacked around 6.00pm on 27^th June, with suggestions that organisations in the following countries have been affected:- Russia Ukraine, Poland, Italy, UK, Germany, France and the US.

The first reports on this attack were coming from companies in the Ukraine, the UK advertising agency WPP have also reported problems. A tweet from the shipping company Maersk said that IT systems in the UK and elsewhere have been affected.

“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack. We continue to assess the situation. The safety of our employees, our operations and customers’ business is our top priority. We will update when we have more information,” the company said in a tweet.

The UK’s National Cyber Security Centre (NCSC) also confirmed it was looking into the attack. “We are aware of a global ransomware incident and are monitoring the situation closely,” said an NCSC spokesperson. “The NCSC website provides advice to the public and business on how to protect your digital systems.”

There is a known vulnerability in the server message block protocol in Microsoft Windows, and it is this that EternalBlue targets. It is thought the exploit was developed by the US National Security Agency (NSA) and then it was released by the hacking group Shadow Brokers who claim to have stolen it from the NSA. Microsoft has since issued a patch for the vulnerability.

“Symantec analysts have confirmed Petya ransomware, like WannaCry, is using EternalBlue exploit to spread,” said the Symantec security response team in a tweet.

The WannaCry ransomware attack which shut down NHS hospital services in the UK in additional to spreading across 150 countries was also based on EternalBlue. This new Petya attack follows a similar format by encrypting files and then asking for a $300 Bitcoin payment in order to release the computer.

Rob Wainwright, executive director of European Union crime agency Europol, said in a tweet: “We are urgently responding to reports of another major ransomware attack on businesses in Europe.”

It is being warned by security experts that these cyber attacks are progressively becoming the “new normal” to businesses.

“These public outings of large, high-profile attacks are becoming more frequent, faster-acting and more damaging.  Essentially, every organisation, regardless of size or industry, is vulnerable,” said Ross Brewer, European managing director at LogRhythm.

Jason Allaway, vice president UK and Ireland at RES, added: “Following the WannaCry attack, it was only a matter of time before we saw another major ransomware incident. As this attack continues to spread globally, firms in all industries need to tighten the hatches and ensure they have the processes in place to minimise the risk.”

According to security researchers, they found that Windows 7 devices which in particular were running the 64-bit edition, were the worst affected by last month’s WannaCry attack and were responsible for its wide and fast spread.