Home / News I have a News Tip

Petya Ransomware Spreading Rapidly Worldwide, Effecting Banks, Telecom, Businesses, Power Companies

Supermarket 'Rost' in Kharkiv, East Ukraine – all the payment terminals appear to have been hit by the Petya ransomeware. (Photo posted on Twitter this morning by Mikhail Golub / @golub)

A large scale ransomware attack today is spreading rapidly worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins. Multiple sources are reporting that this variant of Petya ransomeware, also known as Petwrap, is using the WannaCry vulnerability that had infected close to 300,000 systems and servers worldwide last month. Swati Khandelwal reporting in The Hacker News: "Infected users are advised not to pay the ransom because hackers behind Petya ransomware can't get your emails anymore. Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was used by the criminals to communicate with victims after getting the ransom to send the decryption keys. At the time of writing, 23 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $6775."

"Petya ransomware has already infected Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, Kyivenergo and Ukrenergo, in the past few hours. ... There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks." –The Hacker News

Ukrainian government departments, the central bank, a state-run aircraft manufacturer, the airport in Kiev and the metro network are all struck by the attack which started spreading across Europe earlier today. Tweet from Presidential Administration of Ukraine sent out a few hours ago

Brad Duncan from The Internet Storm Center, Examining the new Petya variant: "Petya is a ransomware family that works by modifying the infected Windows system's Master Boot Record (MBR).  Using rundll32.exe with #1 as the DLL entry point, I was able to infect hosts in my lab with the above two DLL samples.  The reboot didn't occur right away.  However, when it did, my infected host did a CHKDSK after rebooting. After CHKDSK finished, the infected Windows host's modified MBR prevented Windows from loading.  Instead, the infected host displayed a ransom message."

One of the largest health networks in western Pennsylvania, Heritage Valley Health System reports "cyber security incident" has affected all operations at its two hospitals and 18 satellite centers but has not yet confirmed whether the incident is linked to the Petya ransomware.

DLA Piper Victim of Massive Malware Attack: "The global law firm DLA Piper fell victim on Tuesday to a widespread cyber attack, which reportedly disabled networks at dozens of companies. By midday, the firm posted a statement on its website, which remained functional, confirming it suffered a malware attack." Bloomberg Law / 27 Jun 2017, 1:19 PM

"Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit should patch now." Brian Krebs writes: "However, there are indications that Petya may have other tricks up its sleeve to spread inside of large networks. Russian security firm Group-IB reports that Petya bundles a tool called 'LSADump,' which can gather passwords and credential data from Windows computers and domain controllers on the network."

A.P. Moller-Maersk, the transport and logistics company, has confirmed that its IT systems are down across multiple sites and business units. This has affected various operations including India's largest container port JNPT. The company has stated that AP Moller-Maersk, one of the affected entities globally, operates the Gateway Terminals India (GTI) at JNPT, which has a capacity to handle 1.8 million standard container units. 27 Jun 2017, 1:40 PM

Hackers behind today's massive ransomware outbreak can't get emails from victims who paid. "A German email provider has closed the account of a hacker behind the new ransomware outbreak, meaning victims can't get decryption keys. ... email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files." Joseph Cox reporting in Motherboard / 27 Jun 2017, 1:46 PM

Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software. Catalin Cimpanu, reporting in BleepingComputer: "Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. ... The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory ... Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe, M.E.Doc denied on Facebook its servers ever served any malware."

Related topics: Cyberattack, Cybercrime, Cybersecurity, DDoS, Malware


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum