Just a few short weeks after WannaCrypt raged across the world, another brand of ransomware is wreaking havoc across Europe, and has now begun spreading to the US.
Cybersecurity researchers at Symantec and other firms have confirmed that the new ransomware, called ¡®Petya¡¯, is being spread using EternalBlue, the exploit leaked in April by hacker group ShadowBrokers. EternalBlue is just one of many exploits and vulnerabilities utilised by the US National Security Agency in its spying campaigns.
According to Reuters, the first reports of organizations being hit emerged from Russia and the Ukraine, but quickly spread to Romania, the Netherlands, Norway, and Britain. Not just individuals, but a number of major corporations have begun reporting that they¡¯ve been locked out of their systems by Petya. WPP, one of the biggest advertising agencies in the world, was hit worst by the ransomware attack, though other European media content groups have also been crippled.?
Other victims of the ransomware include Ukraine¡¯s central bank, state telecom and municipal metro facilities, and even the Kiev airport. It doesn¡¯t stop there, as reports are emerging the Chernobyl nuclear power plant has switched to manual monitoring, after a few computers there were infected by the malware.
An infected ATM of Ukraine
Microsoft has long since released a patch for EternalBlue, so if you¡¯ve updated your home computer you¡¯re safe. This is one situation where larger corporations are at a higher risk. However, on the off chance your system does get infected, you might have to live with the fact that you¡¯ll never see your files again.?
You see, the ransomware¡¯s creators have placed a message that flashes on an infected computer¡¯s screen, demanding they pay $300 in Bitcoins to a specific account. Once that¡¯s done, the victim sends a confirmation and their personal installation key (the unique ID displayed in the message) to a specific email. So Posteo, the Berlin-based email provider from whose service the ransomware creators have been keeping in touch with their victims, went ahead and blocked the ID. ¡°We do not tolerate any misuse of our platform: The intermittent blocking of abused mailboxes is a normal procedure of providers in such cases,¡± the company said in an announcement. Of course, what that also means is that there¡¯s no point to paying out anymore; the victims can¡¯t contact the perpetrators, and therefore can¡¯t get their files decrypted. It¡¯s all gone.?
However, there¡¯s another nugget of information to consider. Though this ransomware is being referred to as Petya, that¡¯s actually the name of a ransomware from 2016. While the new entry is definitely a strain of it¡¯s name-sharing ancestor, and definitely follows in the footsteps of WannaCry, there are a few identifiable differences.That, coupled with the fact that the perpetrators used an easily blocked email address is leading some cybersecurity experts to believe there¡¯s more than meets the eye.?
In the meantime, don¡¯t expect a repeat of WannaCry with ¡°NotPetya¡±; the likelihood of this second ransomware having a hidden kill-switch is extremely low. Instead we might just have to sit tight and weather the coming storm.