Companies across the globe have been struck by a major ransomware cyber-attack on Tuesday.
The cyber-attack, which initially hit Ukrainian companies has now spread to other countries in Europe as well as in the United States and some parts of Asia.
The ransomware, called “Petya”, has caused serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.
Infected computers show a message demanding ransom payments in bitcoin worth $300. Those who pay are asked to send confirmation of payment to an email address. However, that email address has reportedly been shut down by the email provider.
Digital Shadows is warning businesses impacted by the latest ransomware attack Petya not to pay the $300 bitcoin fee as Posteo administrators have disconnected the email address associated with paying the ransomware to get unlock keys for impacted systems. “It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so,” said Becky Pinkard, vice president, Service Delivery and Intelligence Operations, Digital Shadows.
According to Digital Shadows, Petya first appeared on Tuesday morning and has been spreading around the world, mainly infecting businesses and government agencies and departments in the Ukraine and Russia, but there have been increasing reports of businesses in other countries also being compromised, with reports filtering in from the US, UK, Germany, Switzerland and Holland, as some examples.
“The malware itself appears to be a straightforward ransomware programme. Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The programme then instructs the user to pay the $300 ransom to a static Bitcoin address, then email the bitcoin wallet and personal ID to the email address, which is now blocked,” said Pinkard.
She added, “There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilises the #ETERNALBLUE SMBv1 worm functionality.”
Pinkard then noted that more work is needed to investigate the way the virus propagates; in the meantime she urged businesses to ensure their software is up-to-date and all files backed up.