Huge new ransomware campaign infects businesses across Europe

A new ransomware campaign has infected computers belonging to businesses, governments and other organisations in countries across Europe, according to reports. [See update below story.]

Cyber security experts say the attack, which appears to have struck worst in Ukraine, involves a variant of the Petya ransomware, which encrypts Windows computers’ master boot records.

They suspect that the malware spreads through emails and shared network drives, although this is yet to be confirmed, with infections also being reported in Spain, France, Russia and the UK.

The cyber criminals behind the attack are demanding $300 (£235) in Bitcoin as a ransom, although victims should remember that giving in to their demands is no guarantee of decryption.

Unlike the WannaCrypt ransomware that struck earlier this year, the Petya ransomware renders victims’ computers completely unusable because it encrypts PCs’ master boot records.

There are also so far unconfirmed reports that the malware has other features that allow it to steal usernames and passwords from infected machines.

“If you see this text then your files are no longer accessible because they have been encrypted,” reads the red text on the screens of victims’ computers. “Perhaps you are looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

The cyber criminals then give details of how to pay the ransom using Bitcoin.

In the wake of the WannaCrypt attack, Director of Finance brought you tips on how to protect your business against ransomware and reduce your chance of infection.

These included running security software, making sure your operating system and software are up-to-date and keeping backups of important data so it is not lost if the worst does happen.

Businesses are also advised to develop an incident response plan so they can act quickly and efficiently in the event of a cyber attack and minimise the damage caused.


UPDATE – Since our initial story on the attack, more information has come to light:

  • Cyber security experts believe there are significant differences between this and the original Petya attack, leading some of them to call this malware NotPetya.
  • The payment pipeline for the ransomware was disrupted simply by blocking a single email address used to process payment. The simplicity with which this was achieved has led researchers to suspect that the ransomware element was a distraction and that the real goal of the attack was disruption or wiping data rather than extorting money from victims.
  • NotPetya is believed to have been distributed via phishing emails and through a compromised update server belonging to MeDoc – an accounting software package that is one of only two products Ukrainian firms can use to file their taxes.
  • The malware took advantage of the same EternalBlue vulnerability exploited by WannaCrypt, which was part of the recent NSA dump. Many firms might have patched this flaw, but once NotPetya infects a system with enough privileges it steals administrator credentials and uses them to infect other systems on the network. Unlike WannaCrypt, it is not believed to spread externally.
  • One of the first warning signs of NotPetya is a system reboot followed by a fake CHKDSK screen. Infected users are advised to turn their computers off at this point and seek help.
  • For reasons that are yet to be determined, the attack seems to have mainly targeted Ukrainian organisations. That said, users should always be vigilant when it comes to clicking links and opening email attachments, and administrators should ensure that their software and operating systems are fully patched – particularly with regard to EternalBlue, which was previously fixed by Microsoft.