Major ransomware attack spreads rapidly across Europe
Companies, government departments and airports in the Ukraine have been hit by ransomware this afternoon and the attack now appears to be spreading across Europe.
In Ukraine, government departments, the central bank, a state-run aircraft manufacturer, Kiev airport and the metro network have all been hit. In the UK, the advertising company WPP says its systems have also been taken down, and Danish transport company Maersk reports sites and business units shut down by the attack.
Ukranian media also reports that systems at the Chernobyl nuclear plant have been affected by the attack. Details are still emerging but it appears that the attack, dubbed 'Petya' doesn’t just encrypt data for a ransom, but hijacks computers, and prevents them from working altogether.
Mark Noctor, VP EMEA at Arxan Technologies, says, "Some threat intelligence reports indicate that the banking trojan Loki Bot, which can infect native Android OS libraries, was used in the attack, demonstrating that everything from external firewalls to mobile apps and endpoints themselves are vulnerable to exploitation by high level attackers. Organizations making use of mobile apps, particularly high risk areas such as banking and finance, much ensure they deploy advanced security measures such as code hardening and debugger detection to minimize the threat of apps being used to target core infrastructure."
Analysts at Malwarebytes believe the delivery method is the same as that used by WannaCry. "We are researching the attack as we speak, and so far it is too soon to tell the extent. What we have uncovered is that the ransomware seems to be distributed by Server Message Block (SMB), which is the same as the WannaCry incident that came before it."
"It has been widely reported that this attack exploits the same vulnerability used by WannaCry (EternalBlue). Given the notoriety that WannaCry achieved, it’s surprising to see that organizations are falling victim to a vulnerability that has been public knowledge since earlier this year," says Andrew Avanessian, vice president at endpoint security company Avecto. "We are living in an increasingly connected world, but that means malware infections can spread in the blink of an eye. This instance again shines a light on the need for companies to focus on prevention when it comes to cyber security, rather than being passive and assuming there will be a cure when the worst happens."
Security expert Graham Cluley reports that the attack is using a backdoor called 'Eternal Blue' built by the NSA in order to spread.
We'll bring you more news as it emerges, but in the meantime let's be careful out there.