New ransomware outbreak reported all over world

New ransomware outbreak reported all over world
© Twitter

A new, fast-growing ransomware outbreak is spreading across Europe, with infections also reported in the United States and India. 

Though widely reported to be a variant of the Petya ransomware, there is disagreement among researchers as to whether it is actually Petya or something with a similar design.

The ransomware encrypts files on Windows computers and demands a $300 ransom to have them unencrypted.

ADVERTISEMENT

The ransomware appears to be spreading quickly. Dave Kennedy of security consulting firm TrustedSec wrote on Twitter that he observed more than 5,000 infections in a 10-minute period.

Kennedy said the malware infects systems, forcing them to reboot and then displays a ransom message as the computer boots.

Merck, the U.S.-based pharmaceutical company, announced its systems had been compromised. The U.S. workday starts later than the rest of the world and the stateside spread of the ransomware is expected to accelerate as the domestic workday progresses.

The shipping company Maersk reported being hit by the ransomware, claiming its global network might be compromised. 

Many of the first reports came from Ukraine.

Ukraine’s national bank said that some banks, as well as businesses and public organizations, had been affected by the malware. Reports indicate that the state power company was also affected. 

Ukraine’s national bank said in a statement Tuesday that it had "warned banks and other financial market participants about an external hacker attack on the websites of some Ukrainian banks, as well as commercial and public enterprises, which was carried out today."

"As a result of these cyberattacks, banks experience difficulty in servicing customers and performing banking operations. All the financial market participants have taken steps to tighten security measures to counteract these hacker attacks," it continued. "The [National Bank of Ukraine] is confident that the banking infrastructure is securely protected from cyberattacks and any attempts to perform hacker attacks will be efficiently warded off. The NBU closely monitors developments and inform market participants about the cybersecurity measures taken to protect the banking system."

Ukraine’s deputy prime minister Rozenko Pavlo shared photos on social media of a boot screen displaying the ransomware at work. Symantec researcher Ankit Singh also shared a photo on Twitter. 

Early reports claimed the ransomware was within the same family as Petya. But there is now a growing debate over how connected the new ransomware is to Petya. 

Kaspersky Lab, which first identified the Petya family disputed the connection.

"Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya," the antivirus company said in a statement.

U.K.-based researcher Kevin Beaumont wrote on Twitter, "Okay, this indeed isn't Petya -it shares similarities though."

The antivirus firm BitDefender, claims that it is "almost identical" to a recent offshoot of Petya named GoldenEye that built of of Petya and other sources. Other researchers have backed that claim. 

Both BitDefender and Kaspersky agree that the ransomware uses multiple infection mechanisms, including the same one that fueled the WannaCry outbreak, known as EternalBlue.

EternalBlue was one of a number of computer vulnerabilities leaked by the group the ShadowBrokers apparently from a stolen cache of NSA cyberweaponry.

Ryan Naraine, a researcher with Kaspersky Lab identified three different vectors the malware uses to attack. EternalBlue, a vulnerability in accounting software mandated throughout Ukraine, and a second vulnerability in the Windows file-sharing process exploited by EternalBlue.

The ransomware, reports Bitdefender, encrypts both files and segments of the file storage system. Older versions of Petya only struck the file storage system. 

On Twitter, Mikko Hypponen, the chief research officer of the antivirus firm F-Secure, identified more than 60 file types that Petya ransomware directly encrypts, including Microsoft office files, PDFs, compressed files and source code.

This story was last updated at 3:02 p.m.