What to know about this global cyber attack

Researchers think it could be a malware that's been sold on the dark web's black market.
Author:
Publish date:
An ATM at a bank in Ukraine.

An ATM at a bank in Ukraine.

There's another global cyber attack happening, and so far it's hit airports, power companies, banks, a hospital, a Russian oil giant and others.

This is once again a ransomware – so when the malware gets into a computer it encrypts the files, takes over, and tells the user they need to pay up to get their files back. So it's like the WannaCry ransomware that hit more than 200,000 computers last month.

But this one also overwrites a key portion of your main hard drive, Symantec explains – meaning it's more complicated.

This newly unleashed malware then forces the computer to restart, ByteDefener says, and when it boots back up you get this:

It's a demand to send $300 in Bitcoin (that's about .12 Bitcoins) to a digital wallet. And then the hackers will let you unlock all your files ... allegedly. Though people have doubts.

You can actually track Bitcoin wallets to see activity. Blockchain says that particular address has received more than 2.786 Bitcoins – which is over $6,500.

Where it's hit so far

Most of the infections recorded so far have been in the Ukraine and Russian Federation, with Poland, Germany and Italy behind it, according to Kaspersky analyst Costin Raiu. It's showed up on ATMs, at grocery stores, and a hospital system in Pittsburgh.

Maybe the biggest U.S. company hit is Merck: a pharma business based in New Jersey.

But there are rumblings about more infections, like this leading law firm based in Washington, D.C.

Kaspersky Lab said at 12:12 p.m. that it had detected more than 2,000 users attacked with this ransomware so far Tuesday, and called it a "complex attack."

Update: It's worth noting, as Malware Tech points out, this attack only spreads to computers on the same local network – it doesn't appear to get sent over the internet to random users.

"I.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected," the site writes.

Nobody's quite sure what it is yet

A lot of researchers and cybersecurity groups, such as Symantec, think it's some variant of Petya, aka PetrWrap – a malware that first popped up in 2016 and has been sold on the dark web's black market. ByteDefender also refers to it as Goldeneye.

But there are still questions about what it is, and Kaspersky is one of the firms tweeting #NotPetya to try to make that point.

Researchers (such as Talos Intelligence), though, seem pretty sure that it manages to infect computers using an exploit called EternalBlue (the same security hole that WannaCry used). EternalBlue is said to have been developed by the NSA, then leaked publicly by a group of hackers.

Then there's the question of how it got to a user's computer in the first place. Email might have been involved, well-known researcher MalwareTechBlog tweeted. But there were likely other ways in, possibly including a financial software known as MeDOC.

So ... what should I do?

If you're using a Windows computer, make sure you've downloaded all the security updates. Microsoft patched that EternalBlue issue months ago.

But there's some worry about how far this might spread.

WannaCry was only slowed down when a researcher – the above-mentioned MalwareTechBlog – accidentally found the kill switch.

But as WIRED notes, this Petya/PetrWrap/Goldeneye ransomware doesn't appear to have any type of kill switch built in.

"After a host is infected, there is no communication from the malware back to the attacker," PaloAlto Networks writes.

Next Up

Related