Cadbury’s chocolate making facility in Hobart and the Sydney office of law firm DLA Piper are understood to have fallen victim to a new global ransomware attack.
Infosec experts at McAfee said the ransomware – dubbed NotPetya – was a “nasty variant that encrypts files and the computer’s master boot record, rendering the machine unusable”.
Since the WannaCry attack just a few weeks ago prompted many people to apply the latest Windows patches to protect themselves, NotPetya introduced “more spreading mechanisms to be more successful”, McAfee said.
Security vendor Symantec said NotPetya, a variant of Petya, propagates itself like WannaCry by exploiting the SMB exploit MS17-010 vulnerability, also known as Eternal Blue.
EternalBlue was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017.
“NotPetya malware is behind what is quickly emerging as another devastating global ransomware incident, one with the potential to be even more damaging than WannaCry,” said Kobi Ben Naim, senior director of cyber research at CyberArk Labs.
“NotPetya is spreading using the incredibly efficient infection method used by WannaCry – a worm that quickly spreads the ransomware using the SMB vulnerability in Microsoft systems. The combination is potent and has the potential to inflict massive damage on scales we have not witnessed before.”
CyberArk Labs research found that NotPetya requires administrative rights to execute, so if a user clicks on a phishing link, the ransomware will still infect the network.
“In addition to patching, organisations need to be focused on protecting privileged credentials at the endpoint to avoid them being utilised to execute this attack,” Naim added.
Update: IT security firm ESET have said that paying the ransom is no longer possible as the email to send the Bitcoin wallet ID and “personal installation key” has been shut down by the provider.
Here, there, Ransomware
Organisations in the UK, Ukraine, Netherlands, Spain, the United States and elsewhere have been affected by the ransomware attack, which demands users send US$300 in Bitcoin to recover their files.
Telemetry from Kaspersky Labs indicates more than 2,000 attacks worldwide.
Ukrainian firms, including the state power company and the country’s central bank, Russia’s biggest oil producer Rosneft, Danish shipping company Maersk, Netherlands-based shipping company TNT and US pharmaceutical-maker Merck have all reported issues as a result of the attack.
Vice Prime Minister of Ukraine Pavlo Rozenko tweeted that the country’s Secretariat of the Cabinet of Ministers’ computer systems were down.
Та-дам! Секретаріат КМУ по ходу теж "обвалили". Мережа лежить. pic.twitter.com/B74jMsT0qs
— Rozenko Pavlo (@RozenkoPavlo) June 27, 2017
In
Australia, a tweet by ABC Radio Tasmania presenter Leon
Compton, purports to show the ransom screen of Cadbury’s Hobart facility.
Ransomware attack comes to Tasmania. This is what Cadbury's Hobart computers look like since 9:30pm #ransomware pic.twitter.com/tZIC16oQNH
— Leon Compton (@LeonCompton) June 27, 2017
According to ABC reports, Australian staff of DLA Piper were told via text that it had been the victim of a "major cyber incident" overnight.
A sign said to be from the firm's Washington office warns employees not to turn their computers on.
A tipster sends along this photo taken outside DLA Piper's D.C. office around 10am. #Petya pic.twitter.com/HWS4UFlvQR
— Eric Geller (@ericgeller) June 27, 2017
The Australian Government urged small businesses to take “urgent action to improve their cyber security” in the wake of the new attack.
"We are aware of the situation and monitoring it closely, we are in contact with our Five Eyes partners," said Minister Assisting the Prime Minister for Cyber Security, Dan Tehan.
"It appears to be the same vulnerability as Wannacry. This ransomware attack is a wake-up call to all Australian businesses to regularly backup their data and install the latest security patches."
Businesses who believe they could be infected are urged to visit the Australian Cyber Security Centre (ACSC) website or call 1300 292371 (1300CYBER1) for more information.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.