A GLOBAL RANSOMWARE OUTBREAK, which first hit Ukraine on Tuesday, is causing havoc around the world, striking pharmaceutical companies, Chernobyl radiation detection systems, and, er, a chocolate factory.
The ransomware, dubbed 'NotPetya' given its similarities to Petya, first made headlines on Tuesday afternoon when it crippled national infrastructure in Ukraine, taking down airports, banks and government systems.
Some of our gov agencies, private firms were hit by a virus. No need to panic, we're putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj— Ukraine / Україна (@Ukraine) June 27, 2017
Security outfit Bitdefender was quick to liken the outbreak to the GoldenEye ransomware family.
"Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing, there is no information about propagation vector but we presume it to be carried by a wormable component," it said.
"Unlike most ransomware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving stored information or samples."
Since Tuesday, NotPetya - which infects computers on a local network and demands about $300 in Bitcoin to unscramble files - has made its prescence felt globally, with reports claiming that it has also hit transport firm TNT, Chernobyl radiation detection systems, a US hospital and a chocolate factory in Australia.
According to Kaspersky, a total of 2,000 organisations across the globe have been affected so far, including some businesses in the UK.
Early investigations from the security firm has also identified the ransomware as employing multiple infection strategies, including a modified version of the EternalBlue exploit which was the primary way the recent WannaCry virus spread.
This was patched by Microsoft in March, suggesting that thousands of organisations are yet to apply the fixes.
Chris Wysopal, co-founder at CTO of Veracode, commented: "The easiest and best way to prevent the EternalBlue exploit from working is to run Windows Update.
"Because WannaCry kill switch worked, the pain stopped, and many orgs did not complete patching their Windows. This shows the day to day fire drill that many IT teams work under and the reality that patching in many organisations is hard. Once they heard that WannaCry was stopped they moved on to other more pressing work
"This attack seems to be hitting large industrial companies like Maersk shipping company and Rosneft oil company. These organisations typically have a challenge patching all of their machines because so many systems cannot afford to have any down time. Airports and hospitals also have this challenge."
It's still unclear where the ransomware came from, but MalwareTech, who recently discovered the killswitch to halt the recent WannaCry attack, has backed up several analyst's reports pointing to a popular Ukrainian accounting software as being the source.
The software, called "MeDoc", was allegedly hacked recently, and reports claim that that the automatic update feature sent the ransomware to all computers using the software.
On Twitter, security expert Kevin Beaumont predicts that things are only going to get worse, saying: "I think this will be bigger than WannaCry. It's much better designed." µ
Libra RE: not fine
NCSC notes upsurge attacks that redirect users to malicious websites
No let up for the main pawn of the trade war