Another major cyberattack attack is quickly spreading across Europe and has now infected systems in the US as well. Researchers at Symantec and other leading security firms are confirming that ransomware is being spread via EternalBlue, an exploit leaked in April by the ShadowBrokers hacking group, which is said to have been stolen from the US National Security Agency.
Posteo, a Berlin-based email provider, has issued a statement saying they have blocked the email address reportedly being used by the attackers — meaning the victims no longer have a way to contact the attackers and decrypt their computers even after paying the ransom. "We do not tolerate any misuse of our platform: The intermittent blocking of abused mailboxes is a normal procedure of providers in such cases," the company said.
"The road to hell is paved with good intentions" - this is exactly about Posteo https://t.co/mZzaccDEbi
— codelancer (@codelancer) June 27, 2017
As there were no other means of communication offered by the attackers, there no longer seems any point to paying the ransom.
"Oh boy, that's going to be interesting," said Jason Truppi, director at the endpoint security firm Tanium. "This actually creates some interesting conversation: What is the obligation for a provider to keep it up, right? Is it be better to keep it up and let people get their files back — or is it better to keep it down and stop future attackers from thinking that they're going to get money? I think it's probably better to keep it up, to be honest."
— haveibeencompromised (@HIBC2017) June 27, 2017
While large companies are dealing with these threats daily, Truppi says, it is the small- and medium-sized businesses affected now left most vulnerable. "Those are the people that are most concerning because they're going to want to contact these people that are holding their files for ransom and they're going to want to pay. Whatever files they have lost, that's the lifeblood of their company."
The attacks Tuesday were first reported in Ukraine, striking banks, the power utility Ukrenergo and Kiev's main airport. It has since spread into Western Europe and the United States. Each infection reportedly demands a $300 bitcoin payment to decrypt the affected system's master boot record (MSB); however, the ransomware also appears capable of encrypting individual files as well upon reboot.
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6
— Hacker Fantastic (@hackerfantastic) June 27, 2017
Research into the spread of this particular malware and information sharing about its origin and vector was chaotic throughout Tuesday. Initial reports suggested this was a variant of ransomware known as Petya, which originated in early 2016 and infected thousands of computers earlier this year — typically by way of phishing emails containing a malicious DropBox link. Petya claimed falsely to cause full-disk encryption, according to MalwareByte Labs.
Rumours also circulated that Tuesday's major attack was leveraging a Microsoft vulnerability disclosed in April known as CVE-2017-0199; however, multiple researchers have told Gizmodo that they have seen no evidence of this. AlienVault Labs attributed the confusion to a simultaneous attack in Ukraine involving bot malware known as Loki. "We haven't seen any evidence of Petya using CVE-2017-0199 so far. But we are looking for it actively," said Emsisoft researcher Fabian Wosar.
Супермаркет в Харькове pic.twitter.com/H80FFbzSOj
— Mikhail Golub (@golub) June 27, 2017
Chief Security Expert Aleks Gostev also told Gizmodo via Twitter that Kaspersky Lab had seen no evidence of CVE-2017-0199 being leveraged. Kaspersky put out a statement saying that Tuesday's ransomware was not, in fact, a variant of Petya at all. To get the point across, the firm named the ransomware "NotPetya".
"The company's telemetry data indicates around 2000 attacked users so far," the Russia-based cybersecurity firm said. "Organisations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries."
"Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs," says Mike Ahmadi, a global director at Synopsys Software Integrity Group. "Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated. As it stands today, it will likely take decades to dig ourselves out of the nearly bottomless pit of vulnerable code making up our infrastructure."
Additional reporting by Kate Conger.