Last update: 6/28/2017 at 11:49am — This is a developing story and we will update it as we learn of new details. 

What is going on?

According to Motherboard and various international publications, another wave of ransomware is reportedly infecting computers in Spain, France, Ukraine, Russia, Britain, Denmark and several other countries. It is currently unknown who the attackers are and if the attack is related to the recent WannaCry outbreak

What is a ransomware attack? We’ll tell you everything you need to know, including latest updates on the WannaCry ransomware attack.

What is Petya/NotPetya/SortaPetya ransomware?

[UPDATE] According to BleepingComputer, during the first hours of the attack, researchers initially believed that the ransomware was a new version of the Petya threat; however, this appears to be a new variant which uses some code from Petya, hence why several publications are now calling the outbreak Petya/NotPetya/Petna/SortaPetya.

According to a report from Symantec, Petya is ransomware strain that was discovered last year. A new strain of Petya, called Petrwrap, was initially believed to be the strain of ransomware that began propagating on Tuesday, according to Symantec.

According to Costin Raiu of Kaspersky Lab and anti-virus company Avira, this variation of the Petya ransomware is using the EternalBlue exploit, which was created by and stolen from the US National Security Agency (NSA) and leaked by the group called The Shadow Brokers in April. This exploit–which was also used by WannaCry–takes advantage oof the “MS17-010” vulnerability mainly found in unpatched Windows 7, Windows Server 2008, or earlier versions of the Windows operating system.

Is this the same as the WannaCry ransomware attack? 

Andrew Avanessian, vice president of the security firm Avecto, tells Spiceworks in an interview that “WannaCry was a quite sloppy attack in many respects. It had a kill switch built in that talked to a command center — we think it was detecting whether WannaCry was working on a virtual machine or not.”

“Petrwrap is more sophisticated: Once it’s on a PC, it overrides the master boot record on the hard disk thereby corrupting the operating system. When you reboot that machine, it boots up into a mini-version of an operating system installed by Petrwrap. That operating system takes hold of the PC and puts it in the firm control of the cybercriminals,” Avanessian says.

[UPDATE] We should also note, as Serper discovered, the Petya/NotPetya ransomware strain does not have a kill switch domain that would prevent the attack from spreading, like WannaCry. Moreover, ZDNet notes that this new Petya/NotPetya strain has more functionality, “including the encryption of full hard drives and the ability to use PSExec on a system it has administrative credentials on, allowing it to duplicate the ransomware on any system on a network.”

Moreover, initial photos of an infected computer screen posted on Twitter seem to differ from the WannaCry ransomware display. The photo shows red text which claims, “If you see this text, then your files are no longer accessible because they are encrypted,” followed by instructions to send $300 worth of bitcoins.

Who has been affected? 

There have been reports on Twitter of several hospitals, airlines, utility services, and private companies, including WPP, Rosneft, DLA Piper, Mondelez, and Maersk are being hit by the attack. The Verge is also reporting that Ukrainian businesses are the hardest hit, “with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport.”

In addition, security researchers and firms also confirmed the attack to Motherboard, including Raiu who noticed “thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours.”

Is there a way to stop Petya/NonPetya from spreading?

 

[UPDATE] To date, the unknown attackers have managed to rack up 3.99 bitcoin, or $10,038.80, according to Motherboard.

[UPDATE] Cybereason security researchers Amit Serper says he found a vaccine (not a cure) for the Petya/NonPetya ransomware worm.

Do we know who is behind the attack?

We currently do not know who is behind the attack, but Infosecurity Magazine is citing an analysis by CyberArk Labs, which notes the Petya/NonPetya variants “appear not to affect Windows endpoints that are configured to use a US English-only keyboard,” which leads researchers to believe this could be a state-sponsored attack.

How can I protect myself from ransomware? 

For individual consumers, here’s how to protect yourself:

  • Update your software immediately – Microsoft released a software update to patch this vulnerability in March, so make sure you install the latest software update as soon as possible. Also, always keep your device up-to-date by enabling automatic updates or creating a reminder to check for updates at least once a month.
  • Backup your devices – Backup your files and data in a portable hard drive or to the cloud.
  • Install a robust antivirus and anti-malware program and make sure to use firewalls. If you have the resources, consider installing an anti-spam and anti-phishing software as well.
  • Learn how to identify malicious emails – If you receive an email from a person or company you don’t know, avoid clicking any links or opening any attachments.
  • Enable a pop-up blocker – To avoid drive-by downloads, add and enable a pop-up blocker on your web browsers.

In addition to the tips above, KnowBe4 offers tips on how business owners and other organizations can take extra precautions to protect their company’s data from ransomware:

  • Consider endpoint protection products, like real-time executable blocking or whitelisting.
  • Invest in cybersecurity awareness training – Attackers rely heavily on employees falling for phishing and social engineering scams via email. Teach your staff members how to identify potentially malicious emails, websites, ads, and file extensions.
  • Implement software restriction policies to areas of your network.