A month after the WannaCry ransomware attack paralyzed connected systems worldwide, a new threat appears to be spreading quickly.
As reports emerge, today's attack paints a picture of businesses and governments around the world held hostage by a second major wave of ransomware, a kind of software that hijacks computerized systems and demands payment, often in bitcoin, to unlock them.
Initially it appeared that the ransomware might center on Ukraine, though reports since then have confirmed that it also is affecting systems in Spain, France, Russia and India. Anecdotally, many more countries may be affected as governments and businesses around the world find themselves locked out of their own machines.
— Lukas Stefanko (@LukasStefanko) June 27, 2017
Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj
— Ukraine / Україна (@Ukraine) June 27, 2017
According to a researcher at Kaspersky Lab, the ransomware appears to employ a forged Microsoft digital signature that exploits a Microsoft Office vulnerability that security firm FireEye discovered in April. So far, the ransomware appears to have targeted a number of global banks, including Russia's Rosneft and Ukraine's state-owned Oschadbank.
Update: Some reports suggest that confusion about a simultaneous incident in Ukraine means that the global attack may not actually be using Microsoft's CVE-2017-0199 vulnerability.
New Petrwrap/Petya ransomware has a fake Microsoft digital signature appended. Copied from Sysinternals Utils. pic.twitter.com/HFwA1cyoyN
— Costin Raiu (@craiu) June 27, 2017
— Security Response (@threatintel) June 27, 2017
Early reports suggest that like WannaCry, Petya is using the leaked NSA exploit known as EternalBlue to spread. The ransomware known as Petya (also called Petrwrap) is well known to security researchers and may have been commercially available on dark web software exchanges for some time.
Petya was known to be RaaS (Ransomware-as-a-Service), selling on Tor hidden services. Looks like WannaCry copycat. Attribution will be hard. pic.twitter.com/W5voMeNx9I
— x0rz (@x0rz) June 27, 2017
Everything about this situation indicates that plenty of governments and companies around the world didn't take WannaCry seriously, failed to patch their systems and are now paying the price.