Another major cyberattack attack is quickly spreading across Europe and has now infected systems in the US as well. Researchers at Symantec and other leading security firms are confirming that ransomware is being spread via EternalBlue, an exploit leaked in April by the ShadowBrokers hacking group, which is said to have been stolen from the US National Security Agency.
Posteo, a Berlin-based email provider has issued a statement saying they’ve blocked the email address reportedly being used by the attackers—meaning the victims no longer have a way to contact the attackers and decrypt their computers even after paying the ransom. “We do not tolerate any misuse of our platform: The Intermittent blocking of abused mailboxes is a normal procedure of providers in such cases,” the company said.
"The road to hell is paved with good intentions" - this is exactly about Posteo https://t.co/mZzaccDEbi
— codelancer (@codelancer) June 27, 2017
There were no other means of communication offered by the attackers. At this point, there doesn’t seem to be any point to paying the ransom.
“Oh boy, that’s going to be interesting,” Jason Truppi, director at the endpoint security firm Tanium, told Gizmodo. “This actually creates some interesting conversation. What is the obligation for a provider to keep it up, right? Is it be better to keep it up and let people get their files back—or is it better to keep it down and stop future attackers from thinking that they’re going to get money. I think it’s probably better to keep it up, to be honest.”
— haveibeencompromised (@HIBC2017) June 27, 2017
While large companies are dealing with these threats daily, Truppi says, it’s small- and medium-sized businesses affected now left most vulnerable. “Those are the people that are most concerning because they’re going to want to contact these people that are holding their files for ransom and they’re going to want to pay. Whatever files they’ve lost, that’s the lifeblood of their company.”
The attacks Tuesday were first reported in Ukraine, striking banks, the power utility Ukrenergo, and Kiev’s main airport. It has since spread into Western Europe and the United States. Each infection reportedly demands a $300 payment to decrypt the affected system’s master boot record (MSB), however, the ransomware also appears capable of encrypting individual files as well (potentially after the user reboots their system, though we could not immediately confirm this).
Research into the spread of this particular malware and information sharing about its origin and vector was chaotic throughout Tuesday morning. Initial reports suggested this was a variant of ransomware known as Petya, which originated in early 2016 and infected thousands of computers earlier this year—typically through by way of a phishing email containing a malicious DropBox link to a ZIP file. Petya claimed falsely to cause full-disk encryption, according to MalwareByte Labs.
Rumours spread that Tuesday’s ransomware attack was leveraging a Microsoft vulnerability disclosed in April known as CVE-2017-0199; however, multiple researchers have told Gizmodo that they’ve seen no evidence of this. AlienVault Labs attributed the confusion to a simultaneous attack in Ukraine involving bot malware known as Loki. “We haven’t seen any evidence of Petya using CVE-2017-0199 so far. But we are looking for it actively,” said Emsisoft researcher Fabian Wosar.
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6
— Hacker Fantastic (@hackerfantastic) June 27, 2017
Chief Security Expert Aleks Gostev also informed Gizmodo via Twitter that Kaspersky Lab had seen no evidence of CVE-2017-0199 being leveraged in this attack. Kaspersky put out a statement saying, in fact, that Tuesday’s ransomware was not a variant of Petya at all. To get their point across, they’ve named the ransomware “NotPetya.”
“The company’s telemetry data indicates around 2,000 attacked users so far,” the Russia-based cybersecurity firm said. “Organisations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US, and several other countries.”
“Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs,” says Mike Ahmadi, a global director at Synopsys Software Integrity Group. “Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated. As it stands today, it will likely take decades to dig ourselves out of the nearly bottomless pit of vulnerable code making up our infrastructure.”