Petya Ransomware Devastates Ukraine and Infects Institutions Worldwide

On June 27, authorities worldwide confirmed that a ransomware, named Petya (aka, NotPetya or GoldenEye), infected a massive number of organizations and institutions across the world, over two thousand at last count. The attackers are demanding $300 (US) in Bitcoin for each infected machine to regain access to the encrypted files. Multiple sources, including the National Cyber Security Centre (UK), the Reporting and Analysis Centre (Switzerland), and the Federal Office for Information Security (Germany), confirmed that the virus is exploiting the Server Message Block vulnerability. This is the same vulnerability the WannaCry virus exploited last month.

The earliest confirmed reports came from Ukraine where the ransomware has disrupted the entire country’s infrastructure. The deputy Prime Minister, Rozenko Pavlo, confirmed infection of all government computers. The national power company and Ukraine’s national bank confirmed an attack that included disabling ATMs. Ukraine’s primary airport, Boryspil International, experienced computers and flight boards going down which interfered with all inbound and outbound flights. The cyber attack crippled the monitoring system for the Chernobyl exclusion zone. Authorities there are manually monitoring the radiation until they can bring the system back online.

Continued Russian Aggression Against Ukraine?

Some in the Ukrainian government are blaming Russia for the attack. They say that the cyber attack on the country is not a coincidence because June 28 is Ukraine’s Constitution Day. Furthermore, hours before the virus infected systems, a car-bomb assassinated a high-ranking Ukrainian intelligence officer, Colonel Maksim Shapoval. Taken in context of continued Russian aggression against the Ukraine, it is hard not to make this connection.

However, Russia denies orchestrating the ransomware attack. There is the fact that the Russian oil firm Rosneft confirmed that its servers were attacked. Other major targets include the Danish conglomerate Maersk, the largest container shipping company in the world, and the US pharmaceutical company Merck. Companies in Denmark and Spain have also confirmed attacks by the same virus.

Exploits and Patches

Early analysis shows that Petya is employing the NSA exploits EternalBlue and EternalRomance, as well as EsteemAudit. Microsoft has released patches for these exploits since March, so it is not known if these were insufficient to block the infection or if the affected institutions did not install the patches.

We will learn more over the next few days about the global extent of the attack, though it may be a month or two before we truly understand the economic and social costs.