'NotPetya' ransomware hits '2,000 organisations' in WannaCry-style global outbreak

Attack uses multiple vectors, including NSA exploit EternalBlue

A massive outbreak of ransomware, first spotted in Ukraine on Tuesday, is spreading worldwide. Affected targets so far have included radiation detection systems at Chernobyl, pharmaceutical companies and hospitals.

The ransomware, dubbed 'NotPetya' given its similarities to Petya, first made headlines on Tuesday afternoon when it crippled national infrastructure in Ukraine, taking down airports, banks and government systems.

Security outfit Bitdefender was quick to liken the outbreak to the GoldenEye ransomware family.

"Preliminary information shows that the malware sample responsible for the infection is an almost identical clone of the GoldenEye ransomware family. At the time of writing, there is no information about propagation vector but we presume it to be carried by a wormable component," it said.

"Unlike most ransomware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving stored information or samples."

Since Tuesday, NotPetya - which infects computers on a local network and demands about $300 in Bitcoin to unscramble files - has made its prescence felt globally, with reports claiming that it has also hit transport firm TNT, Chernobyl radiation detection systems, a US hospital and a chocolate factory in Australia.

According to Kaspersky, a total of 2,000 organisations across the globe have been affected so far, including some businesses in the UK.

Early investigations by the security firm have also identified the ransomware as employing multiple infection strategies, including a modified version of the EternalBlue exploit which was the primary way the recent WannaCry virus spread. This was patched by Microsoft in March, suggesting that thousands of organisations are yet to apply the fixes.

Chris Wysopal, co-founder at CTO of Veracode, commented: "The easiest and best way to prevent the EternalBlue exploit from working is to run Windows Update.

"Because [the] WannaCry kill switch worked, the pain stopped, and many orgs did not complete patching their Windows. This shows the day-to-day fire drill that many IT teams work under and the reality that patching in many organisations is hard. Once they heard that WannaCry was stopped they moved on to other more pressing work

"This attack seems to be hitting large industrial companies like Maersk shipping company and Rosneft oil company. These organisations typically have a challenge patching all of their machines because so many systems cannot afford to have any down time. Airports and hospitals also have this challenge."

It's still unclear where the ransomware came from, but MalwareTech, who recently discovered the killswitch to halt the recent WannaCry attack, has backed up several analyst's reports pointing to a popular Ukrainian accounting software as being the source.

The software, called "MeDoc", was allegedly hacked recently, and reports claim that that the automatic update feature sent the ransomware to all computers using the software. Malwarebytes has published a blog on the topic.

Kobi Ben Naim, senior director of cyber research at CyberArk Labs, has noted that the attack is not targetting endpoints using a US English-only keyboard: a tactic seen before in nation state attacks.

On Twitter, security expert Kevin Beaumont predicts that things are only going to get worse, saying: "I think this will be bigger than WannaCry. It's much better designed."

Computing 's next security websem, 'Threat lifecycle management - a six-point stage workflow plan', will take place on the 6th July at 11am.