A massive cyberattack that started this morning has now become a global malware incident.  Businesses and government agencies in the Ukraine, Russia, Denmark and the United Stated have all reported system failure as a result of the attack.  As businesses are hit by the infection, many have been forced to send their employee’s home as nothing can be done.

Organizations throughout Europe started reporting the incident earlier today as the infection spread throughout the world.  The attack uses an advanced variant of ransomware based on the “Petya” Trojan and encrypts system files before locking a user out of their system.  Petya is a particularly volatile ransomware because it not only encrypts a user’s files but also overwrites a computers master boot record, preventing it from launching the operating system.  As with most ransomware, this variant demands payment in the form of $300 worth of Bitcoin currency.

Reports are still coming in, but so far, the attack has spread to over 2000 users around the world.  Just a few of the organizations impacted include:

  • Advertising giant WPP
  • Government departments in Ukraine
  • Dutch logistics firm Maersk
  • Kiev airport
  • Russian oil firm Rosneft
  • Mondelez, the confectionary firm which owns Cadbury, has reported IT issues
  • The Madrid office of law firm DLA Piper
  • The American pharmaceutical firm Merck

In many of these cases, employees have been sent home because there is nothing that could be done to recover the encrypted machines.   Despite recommendations against the practice, many organizations have attempted to pay the ransom, but there is no official word of successful recoveries.

Various security firm analysts suggest that this variant of ransomware makes use of multiple attack vectors.  The first uses the same exploit used by the recent WannaCry attack; a vulnerability native to the EternalBlue Microsoft Windows exploit.  The EternalBlue exploit has already been patched which spread light on an additional attack vector targeting the Windows Management Instrumentation Command-line (WMIC).  In order to bypass WMIC security, the malware would need access to a username and password; this suggests that the attack payload may also contain a KeyLogger or DataMiner of some sort.

Since this story is still developing, there are no definitive forms of remediation or preventative measures against the attack.  We know that the malware does use the EternalBlue exploit, as such, it is highly recommended that you double check your current system patch versions to make sure you are up to date.  As always, adhere to the standard best-practices for online security.  Don’t follow unknown links on websites, do not open attachments in email from unverified senders and immediately report any unusual system activity to your IT provider.