A type of ransomware researchers have identified as Petya (also called Petrwrap) began spreading internationally on Tuesday. Reported victims so far include Ukrainian infrastructure like power companies, airports, public transit, and the central bank, as well as Danish shipping company Maersk, the Russian oil giant Rosnoft, and institutions in India, Spain, France, the United Kingdom, and beyond.
What makes the rapid escalation of Petya both surprising and alarming is its similarity to the recent worldwide WannaCry ransomware crisis, primarily in its use of NSA exploit EternalBlue to spread through networks.
"It is definitely using EternalBlue to spread," says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. "I confirm, this is a WannaCry situation," Matthieu Suiche, the founder of security firm Comae Technologies, wrote on Twitter.
Microsoft had patched the EternalBlue vulnerability in March, prior to WannaCry's spread in May, which protected some systems from the infection. Based on the extent of damage Petya has caused so far, though, it appears that many companies have put off patching, despite the clear and potentially devastating threat of a similar ransomware spread. These systems apparently remain vulnerable even after Microsoft released multiple patches for legacy systems, like Windows XP, that the company no longer supports. And publicity about the attack led many system administrators to prioritize upgrading their systems for defense.
But Petya's spread using EternalBlue shows how dire the patching landscape really is. McAfee fellow and chief scientist Raj Samani notes that Petya may use other propagation methods as well, for maximum impact.
The Petya ransomware itself has circulated since 2016; its spread has now hastened thanks to malicious upgrades including the use of EternalBlue. It has two components: The main malware infects a computer's master boot record, and then attempts to encrypt its master file table. If it can't detect the MFT, though, it turns operations over to its other component, a ransomware that Petya incorporates called Mischa, and simply encrypts all the files on the computer's hard drive the way most ransomware does.
In either case, once infected a computer displays a black screen with red text that reads, "If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service." Then the ransomware asks for $300 in bitcoin—the same amount WannaCry demanded.
It's not yet clear where the wave of attacks originated or who is behind it. "Everyone talked about Ukraine first, but I don't know. It's worldwide," says MalwareHunterteam, a researcher with the MalwareHunterTeam analysis group.
Most troubling, perhaps, is that Petya doesn't appear to incorporate the errors that stunted WannaCry's spread. The amateurish mistakes that marked that earlier outbreak limited both the scope and the eventual payouts collected; WannaCry even included a "kill switch" that shut it off entirely and that security researchers used to control its spread. Petya doesn't seem to have a kill switch function—which means there's no way to stop it yet.
The only potential good news? Enough people may have patched since WannaCry to forestall a breakout on the same scale.
"I think the outbreak is smaller than WannaCry, but the volume is still quite considerable," Samani says. "This is particularly nasty. It’s not as widespread, but it’s certainly quite significant."
So far, this round of attacks has netted 1.5 bitcoin, or around $3500. That may not seem like much so far, but the number has steadily increased since the first reports broke this morning.
We’ll continue to update this story as it develops and details become clear.
