Massive New Ransomware Attack Leverages Same Exploit as WannaCry

A new ransomware campaign currently spreading worldwide takes advantage of the same Windows vulnerability as last month’s massive WannaCry attack, demonstrating that far too many organizations didn’t heed urgent warnings to apply security updates.

Ukraine has been hit the hardest, with a significant impact on its government, transport systems, banks and power utilities, but leading companies worldwide have been seriously affected, including advertiser WPP, pharma giant Merck, manufacturing company Saint-Gobain, and Russian steel and oil giants Evraz and Rosneft.

One WPP subsidiary advised all staff to turn off and disconnect all Windows machines, saying it was the victim of a “massive global malware attack, affecting all Windows servers, PCs and laptops,” The Guardian reports.

On Twitter, shipping company Maersk stated, “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack. We continue to assess the situation. The safety of our employees, our operations and customers’ business is our top priority.”

In the U.S., Merck tweeted, “We can confirm our company’s computer network was compromised today as part of global hack. Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more.”

Still Leveraging EternalBlue

Kaspersky Lab researchers say that despite initial reports claiming the malware was a variant of the Petya ransomware, it’s actually an entirely new threat, which they’re (logically enough) calling NotPetya.

“Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the U.S. and several other countries,” the reseachers said in a statement. “This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.”

Jake Kouns, CISO at Risk Based Security, told eSecurity Planet by email that WannaCry really should have served as a global wakeup call about the importance of patching. “Unfortunately, the fast spread of Petya makes it pretty clear that regardless of the reasons for not updating systems, whether they were valid or not, many companies were unable to properly address things the first time around,” he said.

Simply put, Kouns said, if your organization is running unpatched software, you’re at serious risk. “It is critical that all organizations which are able apply patches for these known vulnerabilities,” he said. “If there is some legit reason for this not being possible, it is imperative to take other precautions and implement compensation controls to protect their systems and mitigate the risk.”

Cybric CTO Mike Kail said the larger message to take from this is that the current approaches to patching and updates are severely broken. “Unfortunately critical infrastructure technology has been ignored for too long, and now we’re seeing the repercussions of that complacency,” he said. “Companies need to rapidly adopt a much more continuous strategy around patching and security testing, along with a robust disaster recovery plan that gets tested frequently.”

Hitting Critical Infrastructure

In the meantime, Netskope co-founder and CEO Sanjay Beri said, the implications could be massive. “The Petya ransomware attack should serve as an urgent warning for the U.S. — we need a plan in place and the administration has to stop dragging its feet on hiring a Federal CISO,” he said.

“Worse than the recent WannaCry attack, the Petya ransomware campaign is targeting critical infrastructure which, according to an MIT report, is essentially defenseless against cybercriminals,” Beri added. “If this attack reaches us — and given the rate and manner with which it’s spreading it’s only a matter of time — the country’s critical infrastructure is at enormous risk of shutting down.”

A recent Kaspersky study found that the total number of users impacted by ransomware between April 2016 and March 2017 rose by 11.4 percent over the previous 12 months.

“The extortion model is here to stay,” the report states. “More stable growth, which is at a higher level on average, could indicate an alarming trend: a shift from chaotic and sporadic actors’ attempts to gain foothold in [the] threat landscape to steadier and higher volumes.”

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles