A massive new ransomware attack that started in Ukraine is spreading across Europe and the United States, according to and multiple other sources. Prominent companies that have been affected are the Danish shipping company Maersk and the British advertising company WPP.
The ransomware appears to be related to the , which is currently detected by ESET as Win32/Diskcoder.C Trojan.
ESET users can find instructions to ensure the highest level of protection against this threat . In addition, here is an about the new malware. Additionally, any ESET product with network detection protects against the SMB spreading mechanism, EternalBlue, proactively.
The scale of the attack is being compared to the recent WannaCry outbreak. ESET protects both and against WannaCry.
ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: .
The Petya malware attacks a computer’s MBR (master boot record), a key part of the startup system that contains information about the hard disk partitions and helps load the operating system. If the malware successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like .
The new malware appears to be using a combination of the EternalBlue exploit used by for getting inside the network, then spreading through PsExec for spreading within it.
To check if your Windows operating system is patched against it, use ESET's free .
This powerful combination is likely the reason why the outbreak is spreading quickly, even after previous outbreaks have generated headlines and most vulnerabilities should have been patched. It only takes one unpatched computer to get inside the network. From there, the malware can take over administrator rights and spread to other computers.
In Ukraine, the financial sector, energy sector and numerous other industries have been hit. The scope of the damage caused to the energy sector is not yet confirmed, and there has been no reports of a power outage, as was the case previously with the that was discovered by ESET.
An image that reportedly shows the ransomware message is making the rounds online, including one from with the following message (which we’ve paraphrased):
“If you see this text, then your files are no longer accessible, because they have been encrypted … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment [$300 bitcoins] and purchase the decryption key.”
- Use reliable antimalware software: This is a basic but critical component. Just because it’s a server, and it has a firewall, does not mean it does not need antimalware. It does! Always install a reputable antimalware program and keep it updated.
- Make sure that you have all current Windows updates and patches installed
- Run ESET’s to see whether your Windows machines are patched against EternalBlue exploit, and patch if necessary.
- For ESET Home Users: .
- For ESET Business Users: or .
For more on Petya and crypto-ransomware, from ESET’s WeLiveSecurity.com blog.
For business enquiries and more information on how to protect your business from ransomware, please visit: https://sg.store.eset.com/ransomwareprotectionapac
This blog post will be updated as new information comes in.