A major ransomware attack has brought businesses to a close throughout Europe, in an infection reminiscent of last month’s WannaCry attack. The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack.
The attack has even affected operations at the Chernobyl nuclear power plant, which has switched to manual radiation monitoring as a result of the attack. Infections have also been reported in more isolated devices like point-of-sale terminals and ATMs.
The virus has also spread internationally. The Danish shipping company Maersk has also reported systems down across multiple sites, including the company’s Russian logistics arm Damco. The virus also reached servers for the Russian oil company Rosneft, although it’s unclear how much damage was incurred. There have also been several recorded cases in the United States, including the pharmaceutical company Merck and the the US offices of law firm DLA Piper.
A researcher for Kaspersky Lab identified the virus as Petrwrap, a strain of the Petya ransomware identified by the firm in March. One recovered sample was compiled on June 18th, suggesting the virus has been infecting machines in the wild for some time. Still, according to a recent VirusTotal scan, only four out of 61 antivirus services successfully detected the virus.
Two separate firms have reported the new ransomware employs the same EternalBlue exploit used by WannaCry, allowing it to spread quickly between infected systems. Published by the Shadow Brokers in April, EternalBlue targets Windows’ SMB file-sharing system and is believed to have been developed by the NSA. Microsoft has since patched the underlying vulnerability for all versions of Windows, but many users remain vulnerable, and a string of malware variants have employed the exploit to deliver ransomware or mine cryptocurrency.
Petrwrap itself appears to be a straightforward ransomware program. Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The program then instructs the user to pay $300 to a static Bitcoin address, then email the bitcoin wallet and personal ID to a Posteo email address. As of press time, blockchain records showed eight transactions to the target wallet, totaling roughly $2,300. It’s unclear whether any systems have been successfully decrypted after payment.
The origins of the attack are still unclear, but the involvement of Ukraine’s electric utilities is likely to cast suspicion on Russia. Ukraine’s power grid was hit by a persistent and sophisticated attack in December 2015, which many attributed to Russia. The attack ultimately left 230,000 residents without power for as long as six hours.
Ukraine itself seems to be responding to the attack with good humor. Shortly after news of the attack broke, the country’s official Twitter account responded by urging citizens not to panic, while invoking a popular comic meme.