A new ransomware outbreak is causing mayhem around the world, compromising banks, airports, energy suppliers, and even shutting down automated radiation sensors at the Chernobyl nuclear power plant. Reminiscent of the recent WannaCry attack that affected thousands of organizations just a few weeks ago, initial reports are claiming this new virus is more sophisticated and potentially harder to stop.
Initial reports began surfacing early on Tuesday US time after a wave of ransomware attacks struck businesses primarily in Ukraine and Russia before spreading to Western Europe. Early investigations from Kaspersky Labs identified the ransomware as employing multiple infection strategies, including a modified version of the EternalBlue exploit which was the primary way the recent WannaCry virus spread.
The ransomware has initially been labeled as a variant of the "Petya" ransomware that has been circulating since 2016, but it appears to have been recently updated to add significant new virulence. This has caused some to dub the new ransomware "NotPetya" or "Nyetya".
Much like most general ransomware, the new variant encrypts the data of an infected computer and locks the system down with a ransom note, in this case claiming the data will be released if $300 in Bitcoin is paid. Interestingly the ransom process for this malware is oddly unsophisticated. Unlike other ransomware demands that utilize unique Bitcoin wallets for individual infections, this malware uses a single Bitcoin wallet for all demands. Consequently the ransom note asks those infected to send an email to a certain address after paying to confirm payment and receive decryption information.
Unsurprisingly, the domain that the hackers were using to receive these payment confirmations has already suspended the email address. So the ransom process has essentially already been thwarted offering those infected no way to certify payment, although generally these high-profile attacks do not offer decryption information after a ransom is paid anyway.
The two big questions being asked right now are, "Where did this ransomware come from?" and "How is it spreading?" At this stage, the answers to both questions are frustratingly cloudy.
In terms of where it came from, many early reports have been claiming the initial spread seemed to kick off across public sector organizations in Ukraine. Cybersecurity specialist MalwareTech, who was the prime agent in discovering the killswitch stopping the recent WannaCry attack, has backed up several analyst's reports pointing to a popular Ukrainian accounting software as being the source.
The software, called "MeDoc", was allegedly hacked recently and the hypothesis is that the automatic update feature sent the ransomware to all computers using the software. MalwareTech's blog makes a decent case for this being the initial infection vector despite the company comprehensively denying the allegation on its Facebook page. Adding to this already strange situation was a bizarrely contradictory post on the MeDoc website, now taken down, claiming "Attention! Our server made a virus attack. We apologize for the inconvenience!"
How this malware is spreading is even more of a mystery. Initial analysis shows the infection seemed to be significantly limited to local networks. That means that once it hit one computer it can rapidly spread across that internal network. But it's still unknown how it could be spreading so virulently around the world.
At this stage there is no clear evidence as to whether the malware is traveling around via an email phishing campaign, and despite some early claims that it cannot spread easily outside of local networks, it is clear that is moving around the world incredibly rapidly.
On Twitter, security expert Kevin Beaumont frighteningly predicts, "I think this will be bigger than WannaCry. It's much better designed." It is clear from most first-wave analysis that this is a much more sophisticated instrument than WannaCry.
We are still in the early days of the outbreak so it is unclear how broadly it will spread or how damaging it will ultimately be. All indications are that this could be a significantly damaging piece of ransomware, and it is occurring merely weeks after the world suffered from the most widespread malware outbreak ever seen. It's looking as if 2017 is the year that cyberwarfare finally came of age, and we all better stand up and take notice.
Update (29 June): New reports have surfaced that the ransomware could be a cover for a cyberattack. Full story here.