Security experts are warning that a quick-spreading new ransomware attack may have more tricks up its sleeve than the previous WannaCry software that crippled thousands of computers worldwide last month.
The new strain, which has similarities to a well-known software called Petya but may be a modified or wholly new version, has already caused a significant amount of damage in Europe and has moved to the US.
Virus hits European computer servers
A major ransomware attack on Tuesday hit computers at Russia’s biggest oil company, the country’s banks, Ukraine’s international airport as well as large companies in countries including the Netherlands, France and the UK.
Companies, services and individuals in Australia — especially those whose computers are connected to big networks but have not received security updates in some time — are at risk of having their files locked and held to ransom once businesses get started this morning.
“The early indications are that it’s exploiting multiple vulnerabilities that have been patched for years”, Australian security expert Troy Hunt told Fairfax Media.
The screen shown on computers locked by the new strain of software. Photo: McAfee
“Unpatched systems are definitely still at risk”.
Several prominent companies and services across the globe have already been impacted by this new ransomware, with computers locked up and displaying a distinctive red block of text asking for payment in Bitcoin.
While British and American companies have been hit, the most damage so far appears to have been done in the Ukraine, where the state power company and main airport were among the first to report issues.
The BBC is reporting that even the Chernobyl nuclear power plant has been hit, with staff being forced to monitor radiation levels manually after the computers that run the plant’s sensors were impacted.
Security software vendor McAfee said that the modified Petya attack had more potential to hit the general public than WannaCry, but that it had so far been mainly detected in business environments. It said it had various samples in analysis to try and work out exactly how the new strain operates.
Kaspersky Lab believes the strain is a “new ransomware that has not been seen before”, despite its strong resemblance to Petya. It has dubbed the new software NotPetya.
Regardless the new ransomware is tied to WannaCry, with several security firms confirming that it uses the same Windows vulnerability to spread through computer systems. First revealed publicly in April, this vulnerability known as Eternal Blue was patched by Microsoft in March, so any computer set to automatically install security updates is protected.
However some businesses that use specialised software don’t keep their computers up to date, as it can be costly to fix compatibility issues at large scale. Many of those businesses were hit by WannaCry, and anyone who still hasn’t installed the appropriate security updates may be at risk from this new attack as well.
Also at risk are embedded computer systems — for example those that run public infrastructure — which are often connected to networks but not updated. As recently as last week, speed cameras in Victoria were seen to be impacted by WannaCry.
While there are indications that the new Petya has more ways to move around inside a network than WannaCry had, it’s likely these also make use of known vulnerabilities that have been patched. Until it has been fully investigated, it’s difficult to say whether some systems protected against WannaCry might still be vulnerable to the new form of Petya.
While there are still a lot of details that experts are yet to uncover — including the identity of the criminals that released the attack, how the software initially breaches a computer or any other known vulnerabilities it may be exploiting — many are advising users to guard against Petya in the same way they did WannaCry: make sure the most recent Windows security updates are installed, and be vigilant in regular cyber hygiene practices including maintaining backups of your files, and not opening suspicious emails or clicking unfamiliar links.
For businesses, the specific security update needed to protect against Eternal Blue is MS17-010. In line with Microsoft’s guidance from 2016, businesses unable to patch should consider disabling SMBv1 and other legacy protocols to prevent the infection spreading.