A major cyber-attack is spreading across Europe today (June 27th), shutting down several firms across the continent. The ransomware appears to be a new strain of Petya, which is inspired by the WannaCry outbreak that occurred last month. While the initial outbreak of Petya appears to be smaller than WannaCry, over eight countries have already been affected.
Previous strains of Petya ransomware encrypt Master File Tree (MFT) tables for New Technology File System (NTFS) partitions and overwrites the Master Boot Record (MBR) with a custom bootloader that shows a ransom note and prevents a victim from booting their computer. These characteristics make Petya more dangerous than other ransomware variants because it prevents victims from working altogether.
The current Petya ransomware outbreak has the same characteristics but has added a Server Message Block (SMB) similar to the NSA hacking tool ETERNALBLUE. The SMB is what makes Petya and WannaCry so dangerous; it’s worm capabilities allow the ransomware to spread to other computers.
Currently, Petya is being spread via email spam messages which include an Office document that is embedded with malware. Once the document is opened, the ransomware will be downloaded and installed on the victim’s machine. The SMB worm is then executed, and the ransomware can now spread to other machines.
So far, Ukraine’s government, banks, and electricity grid have been hit the hardest by the Petya outbreak. However, the outbreak has caused serious issues in Britain, France, the Netherlands, and Russia. While WannaCry hit 230,000 machines in over 150 countries, Petya has already collected the same amount of ransom in a few hours that took WannaCry a full day.
The WannaCry outbreak was shut down by a kill-switch mechanism. While it’s still early in the cyber-attack, it doesn’t appear that Petya has a similar weakness. We will keep you updated as the events of the Petya outbreak unfold. If you think you've been hit, we can help.
Further Reading: What is Ransomware