After WannaCry came the Rasyomware Petya: Big problems especially in eastern countries
Costin Raiu, director of Global Research for Kaspersky Labs, reports that today’s ransomware hit Ukraine more and to follow Russia, cases were also found in Poland, Italy and Germany.
After last month’s attack based on WannaCry ransomware, another important attack occurred in the past hours, based on a variant of the already known Petya / Petrwrap racomware. Costin Raiu, director of Global Research for Kaspersky Labs, reports that today’s ransomware hit Ukraine more and to follow Russia, cases were also found in Poland, Italy, Spain, France, Germany, India and the United States.
The attack was hurt by exploiting EternalBlue, a exploit developed, used and ultimately subtracted from the National Security Agency. According to Kaspersky, the attack later, yesterday afternoon also exploited another exploit called EternalRomance. It’s good to note that vulnerabilities on which leverage EternalBlue and EternalRomance have been fixed to have been solved with a patch released by Microsoft already in March, just before the notorious ShadowBrokers collective released the hacking tools removed from the NSA.
During the attack yesterday, the Mimikatz hacking tool was also used to extract passwords from other computers on the infected system’s network so that you can use credentials to use PSExec, a Windows component known as the Windows Management Instrumentation to infect other machines, including those that are not vulnerable to EternalBlue or EternalRomance.
In some cases, it also appears that the automatic update system of a known Ukrainian software called MeDoc was compromised, which was compromised by the malware that took control of the system sending updates to end users.
According to Kaspersky’s analysis of the Talos group of Cisco and Eset, it seems that MeDoc is the starting point from which global infection began. The MeDoc itself on its website has posted a rather vague warning and saying, ” Attention! Our servers have a virus attack. Sorry for the inconvenience. ” A statement that many have interpreted as a guilty admission, although such a form of communication is rather unusual for an official statement. Representatives of MeDoc also said on Facebook that the company was not involved.
Once the system is infected, it leaves a variable time between 10 and 60 minutes before rebooting. Security researchers say that in order to prevent system compromise, it might be enough to turn it off before rebooting (obviously if you have the awareness of being compromised) and putting yourself in the hands of a security expert who knows how to reboot Restart the machine containing the infection.
Up to now, more than 12,000 computers have been spent, at least according to the information available so far. In Ukraine the ransomware has paralyzed banks and the city’s electrical system like Ukrenego and Kyivenergo, even the Kiev airport and subway were affected by the attack.
Maersk’s Danish Expedition and Energy Company was also hit, and provided the following message through his website:
” We can confirm that Maersk computer systems are blocked due to a computer attack, we continue to assess the situation, security for our employees and our customer’s business operations are our priority. We will update you when we have more information “
More news of ransomware attacks have been reported throughout Russia and the UK. Petya has also reached the United States, including for example, the well-known law firm DLA Piper Global, who reports that their computers and telephone systems have been blocked for most of the day. The food multinational Mondelez International has also been hit.