A fast-moving ransomware attack has hit a number of companies in several European countries and the United States, the second such widespread ransomware outbreak in as many months.
The attack was originally thought to be a new variant of the Petya ransomware, but researchers have said that it appears to be an entirely new ransomware strain. There are reports of infections in several countries, including Ukraine, India, France, Russia, and Spain, as well as in the U.S. Security researchers said the ransomware being used in this campaign uses a fake Microsoft digital signature that was lifted from a legitimate Microsoft utility. The variant appears to be just a few days old and it reportedly uses the same EternalBlue exploit developed by the NSA that the WannaCry ransomware worm used in May.
“The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp,” Costing Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, said Tuesday morning as the attack was spreading.
As the attack campaign was proceeding Tuesday, there were concurrent reports that some large organizations had been attacked, including Maersk, the global shipping company, and the National Bank of Ukraine. However, neither of those organizations identified ransomware as the cause of their network troubles. The Ukrainian national power company, Ukrenergo, also was reportedly targeted.
“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation,” Maersk said in a statement on Twitter.
Researchers at Kaspersky said that after analyzing the ransomware sample used in Tuesday’s attacks, they found that it was not actually a version of Petya, but a separate variant altogether.
“Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya,” Kaspersky said in a statement.
“This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.”
The EternalBlue exploit targets a known vulnerability in Windows’ SMB protocol implementation, a bug that Microsoft patched several months ago. The exploit first surfaced in WannaCry last month and that ransomware variant used it to spread to new machines. Researchers say that the NotPetya ransomware is using the same vulnerability and some similar exploit code, but add that there likely is at least one other infection vector.
“Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos continues to research the initial vector of this malware,” Alexander Chiu of Cisco’s Talos research team wrote in a post.
A message on the MeDoc site says, “Attention! Our server made a virus attack. We apologize for the inconvenience!”
Interestingly, researchers have not identified the command-and-control infrastructure for the NotPetya ransomware. Several researchers have speculated that money may not be the primary or even secondary motive for the attack, since the payment system for NotPetya is difficult to use and doesn’t seem geared toward actually taking payments.
This outbreak comes just a month after the WannaCry ransomware campaign hit companies around the world.
This story was updated at 1:09 PM on June 27 to include the new information on the ransomware’s name. The story was further updated at 2:28 PM to include the infection vector information from Cisco.