Earlier this week, a cyberattack against Ukraine that affected some of its critical infrastructure spread to other parts of the world. The so-called “ExPetr/NotPetya/Petya/PetrWraplocking malware locked down unprotected PCs and generally made a nuisance of itself in Ukraine, Russia, Spain, India and the US.
We have even heard of South African businesses being affected.
Cybersecurity firm Kaspersky sent out a release today that said “Our experts have named [the malware] ExPetr (others call it Petya, PetrWrap, and some other names). The key difference with this new ransomware is that this time, criminals have chosen their targets with greater precision: Most of the victims are businesses, not consumers.”
ExPetr initially appeared to be just another ransomware attack, possibly even a variant of the WannaCry malware that attacked in May, as it claimed it had encrypted important system files and wanted $300 worth of the cryptocurrency Bitcoin to unlock them. Attackers provided a Bitcoin wallet address for the payment, and an email address for proof of payment.
However, that email address turned out to be fake. Instead of encrypting files, the malware actually deleted critical Windows files and effectively “bricked” the infected machines.
Kaspersky discovered that the malware doesn’t generate an installation ID, meaning there’s no way to identify each infected machine and thus no way to actually decrypt anything. Because of this, Kaspersky believes the intention of the attackers was never to make money, but rather to disrupt.
And disrupt it has: so far, ExPetr has delayed flights at Kiev’s Boryspil airport and affected companies as disparate as British advertising firm WPP, Russian oil producer Rosneft and Danish shipping firm Maersk, which all reported that their systems had been hit by a cyberattack on Tuesday.
ExPetr also hit the Chernobyl power plant. Express.co.uk reported on Tuesday that staff were “…unable to access reports and metrics on their computers”, but also that “…a computer team [has] been working to keep the situation in Chernobyl under control.”
So far, nobody knows who is behind the attacks. Right now, Kaspersky says the best things to do are the following:
- If you’re infected, DO NOT pay the ransom. The attackers can’t help you.
- Ensure critical PCs, servers and backup servers are on their own isolated network segment
- Split the remaining network into subnets or virtual subnets with restricted connections, connecting only those systems that require it for technology processes
- Install all of the latest software and operating system patches