Ransomware Using Leaked Exploit in Massive Cyber-Attack Across Europe

European companies and government agencies report a widespread attack by the Petya ransomware program, which has been updated to use a leaked exploit to infect users’ systems.

Ransomware safe door

European companies and government agencies are reporting a widespread attack by a ransomware program that arrives in email and uses a leaked exploit to infect users’ systems, according to multiple accounts on June 27.

The attack appears to be a year-old ransomware threat, known at Petya, created originally in 2016 but updated to use the EternalBlue exploit, an attack program leaked by the ShadowBrokers as part of the cache of code allegedly stolen from the National Security Agency.

Numerous companies across Europe reported their information systems had been impacted by the attack including UK-based advertising and public relations firms WPP plc, Ukraine's state-run power company Ukrenergo, Russian oil producer Rosneft and global transport company Maersk.

“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack,” the company stated on Twitter. “We continue to assess the situation. The safety of our employees, our operations and customers’ business is our top priority.”

The incidents come as many companies are incorporating lessons learned from the WannaCry ransomware attack, which spread in May, but whose impact was significantly blunted by the serendipitous actions of one security researcher.

However, the latest Petya attack mirrors many of the characteristics of WannaCry, Itzik Kotler, chief technology officer at security firm SafeBreach, told eWEEK.

“We are looking at a replay of WannaCry,” he said. “The vulnerability that was used by WannaCry is so widespread and patching is such a drawn out process, so it gave the attackers an opportunity to do a spin off.”

Unlike WannaCry, however, Petya is distributed through email, does not encrypt individual files, but instead focuses on the master boot record. A second exploit is used to spread laterally throughout a network, making Petya more dangerous and more difficult to eradicate, security experts said.

“Petya is … an older ransomware family that has been given a new life by embedding a way to self-replicate over SMB using Eternal Blue exploit,” Nick Bilogorskiy, senior director of threat operations at Santa Clara, CA-based Cyphort, said in an email statement sent to eWEEK.

Many security professionals argue that ransomware has become the new normal. A recent report by the FBI, however, found that reports of ransomware to law enforcement only made up $2.4 million in damages in 2016, far short of the more than $360 million in damages from business email compromise.

The United States did not escape the attentions of the latest ransomware campaign. Pharmaceuticals firm Merck acknowledged on Twitter that the company also had systems affected by the attack.

“We confirm our company's computer network was compromised today as part of global hack,” the company stated. “Other organizations have also been affected.”

A number of Ukrainian banks and state-run firms, including the power company Ukrenergo, acknowledged on June 27 that their information systems had suffered attacks, according to Reuters.

“There is no novelty here,” SafeBreach’s Kotler said. “It it more of the same exploits and more of the same techniques.”

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...