Another massive ransomware attack has hit more than 2 000 computers around the world – but even if users pay the ransom, they won’t get their data back.
The new attack is a variant of the Petya code. It appears to have originated in Ukraine, where the power grid, airport, national bank and communications firms all experienced problems early Tuesday morning.
The attack has since spread through Europe and beyond, with users being told to pay £300 in bitcoin to get their data unencrypted.
However, less than 24 hours after the attack is known to have started, paying the ransom is no longer an option.
Because the email to send the Bitcoin wallet ID and personal installation key has been shut down by the provider security company Eset advises people not to pay the ransom as they will not be able to receive the decryption key.
By late Tuesday afternoon, the ransomware was being reported in the Ukraine, UK, Russia, Norway, France, Spain, India and the US.
According to Eset, the ransomware appears to be a version of Petya. If it successfully infects the MBR, it will encrypt the whole drive itself; otherwise, it encrypts all files.
To spread, it appears to be using a combination of the SMB exploit (EternalBlue) used by WannaCry for getting inside the network and then spreading through PsExec for spreading within the network.
“This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully, most vulnerabilities have been patched,” according to Eset. “It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”
The company has been updating its blog as the attack unfolds, and during the night researchers located the point from which the epidemic started.
The early attacks in the Ukraine compromised the accounting software M.E.Doc. Because some companies executed a trojanised update of M.E.Doc, attackers were able to launch the massive ransomware campaign.
Becky Pinkard, vice-president: service delivery and intelligence operations at Digital Shadows, urges businesses impacted by the latest Petya attack not to pay the $300 bitcoin fee. “Posteo administrators have disconnected the email address associated with paying the ransomware to get unlock keys for impacted systems. It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so.”
To protect themselves from infection, users should ensure their systems have the latest patches, including the one in Microsoft MS17-010 bulletin, Sophos advises.
They can also consider blocking the Microsoft PsExec tool from running on users’ computers since a version of this tool is used as part of another technique used by the Petya variant to spread automatically.
The security software company says users should back up regularly and keep a recent backup copy off-site, preferably encrypted.
Users should be advised to avoid opening attachments in emails from recipients they don’t know, even if you work in HR or accounts and you use attachments a lot.