Another major cyberattack is quickly spreading across Europe and has now infected systems in the US as well. Researchers at Symantec and other leading security firms are confirming that ransomware is being spread via EternalBlue, an exploit leaked in April by the ShadowBrokers hacking group, which is said to have been stolen from the US National Security Agency.
[Update: The consensus among malware experts now is that the cyberattacks launched Tuesday were merely disguised as ransomware. The malware—which Kaspersky Lab calls “NotPetya”—is actually a wiper, the purpose of which is to permanently damage its victims’ data. Despite previous reports, it no longer appears that the actor behind the attack was motivated by money. In a blog Wednesday, Comaeio Technology founder Matt Suiche suggested that the wiper was disguised as ransomware for the purpose of manipulating the media and obfuscating a nation-state attack.]
Posteo, a Berlin-based email provider has issued a statement saying they’ve blocked the email address reportedly being used by the attackers—meaning the victims no longer have a way to contact the attackers and decrypt their computers even after paying the ransom. “We do not tolerate any misuse of our platform: The intermittent blocking of abused mailboxes is a normal procedure of providers in such cases,” the company said.
As there were no other means of communication offered by the attackers, there no longer seems any point to paying the ransom.
“Oh boy, that’s going to be interesting,” said Jason Truppi, director at the endpoint security firm Tanium. “This actually creates some interesting conversation: What is the obligation for a provider to keep it up, right? Is it be better to keep it up and let people get their files back—or is it better to keep it down and stop future attackers from thinking that they’re going to get money. I think it’s probably better to keep it up, to be honest.”
While large companies are dealing with these threats daily, Truppi says, it is the small- and medium-sized businesses affected now left most vulnerable. “Those are the people that are most concerning because they’re going to want to contact these people that are holding their files for ransom and they’re going to want to pay. Whatever files they’ve lost, that’s the lifeblood of their company.”
The attacks Tuesday were first reported in Ukraine, striking banks, the power utility Ukrenergo, and Kiev’s main airport. It has since spread into Western Europe and the United States. Each infection reportedly demands a $300 payment to decrypt the affected system’s master boot record (MSB); however, the ransomware also appears capable of encrypting individual files as well upon reboot.
Research into the spread of this particular malware and information sharing about its origin and vector was chaotic throughout Tuesday morning. Initial reports suggested this was a variant of ransomware known as Petya, which originated in early 2016 and infected thousands of computers earlier this year—typically by way of phishing emails containing a malicious DropBox link. Petya claimed falsely to cause full-disk encryption, according to MalwareByte Labs.
Rumors also circulated that Tuesday’s major attack was leveraging a Microsoft vulnerability disclosed in April known as CVE-2017-0199; however, multiple researchers have told Gizmodo that they’ve seen no evidence of this. AlienVault Labs attributed the confusion to a simultaneous attack in Ukraine involving bot malware known as Loki. “We haven’t seen any evidence of Petya using CVE-2017-0199 so far. But we are looking for it actively,” said Emsisoft researcher Fabian Wosar.
Chief Security Expert Aleks Gostev also told Gizmodo via Twitter that Kaspersky Lab had seen no evidence of CVE-2017-0199 being leveraged. Kaspersky put out a statement saying that Tuesday’s ransomware was not, in fact, a variant of Petya at all. To get the point across, the firm named the ransomware “NotPetya.”
“The company’s telemetry data indicates around 2,000 attacked users so far,” the Russia-based cybersecurity firm said. “Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US, and several other countries.”
“Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs,” says Mike Ahmadi, a global director at Synopsys Software Integrity Group. “Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated. As it stands today, it will likely take decades to dig ourselves out of the nearly bottomless pit of vulnerable code making up our infrastructure.”
Additional reporting by Kate Conger.