Second Global Ransomware Outbreak Under Way

A massive ransomware outbreak is spreading globally and being compared to WannaCry.

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend.

A global WannaCry-like ransomware outbreak–which began in Russia and Ukraine and spread across Europe–is being reported today. The attack is locking down networks in a number of industries, including energy, transportation, shipping and financial.

Reports suggest that ransomware is similar in scope and intensity to WannaCry and could be spreading using the same leaked NSA EternalBlue exploit that WannaCry used in early May to infect machines in more than 150 countries.

Security experts are still trying to determine what type of ransomware is being distributed. Early theories pointed at Petya while others say the ransomware may be a new strain yet to be identified.

Kaspersky Lab malware analyst Vyacheslav Zakorzhevsky said infections were traced to a “new ransomware we haven’t seen before.”

Matt Suiche, founder of cyber security firm Comae Technologies, said he saw evidence of infections through SMB, the same vector used by EternalBlue and the accompanying DoublePulsar rootkit; the vulnerability was patched in March by Microsoft in MS17-010.

The impact of the attacks are difficult to quantify as they continue. However, Danish transport and energy company Maersk is reporting on its website: “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.”

Russian oil producer Rosneft said that it has been hit with a “powerful” cyberattack.

Reuters is reporting that the Ukrainian central bank has also been hit by a similar cyberattack along with several other financial institutions.

“As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations,” the central bank said in a statement, according to the Reuters report.

Ukrainian officials tweeted images of infected computers at the state-owned Ukrenergo and Kyivenergo power companies. The ransom note reads: “We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.”  Based on current value of bitcoins, the ransom is approximately $300.

Meanwhile, the Facebook page of Kiev’s Borispol Airport posted a statement: “Our IT services are working together to resolve the situation. There may be delays in flights due to the situation… The official Site of the airport and the flight schedules are not working.”


(This report will be updated throughout the day as the story develops.)

Suggested articles