Huge 'Petya' ransomware attack hits Europe, sparks mass disruption

A new ransomware attack has hit organizations across Europe, sparking mass disruption, particularly in Ukraine.

Company and government officials reported serious intrusions at the Ukrainian power grid, banks and government offices, where one senior official posted a photo of a darkened computer screen and the words, “the whole network is down.” Flights were also disrupted as systems in Kiev’s Boryspil Airport were affected by the 'Petya' ransomware.


Russia’s Rosneft oil company also reported falling victim to hacking, as did Danish shipping giant A.P. Moller-Maersk.

“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.  We continue to assess the situation. The safety of our employees, our operations and customers’ business is our top priority. We will update when we have more information,” Maersk tweeted Tuesday.

London-based ad agency WPP also confirmed it had been attacked in a tweet.

The number of companies and agencies reportedly affected by the ransomware campaign was piling up fast, and the electronic rampage appeared to be rapidly snowballing into a real-world world crisis. Dutch daily newspaper Algemeen Dagblaad says that container ship terminals in Rotterdam run by a unit of Maersk were also affected. Rosneft said that the company narrowly avoided major damage.


“A massive hacker attack has hit the servers of the Company,” it tweeted on Tuesday. “The cyber attack could lead to serious consequences, however, due to the fact that the Company has switched to a reserve control system … neither oil production nor preparation processes were stopped.”

Ransomware is the name given to programs that hold data hostage by scrambling it until a payment is made. The latest attack comes hot on the heels of the recent WannaCry ransomware that wreaked havoc across the globe.

There’s very little information about what might be behind the disruption at each specific company, but experts have been scrambling to identify the specific type of ransomware deployed and its origins. “The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp,” tweeted Kaspersky Lab researcher Costin Raiu.

Romanian cybersecurity firm Bitdefender said that the massive ransomware campaign is unfolding worldwide, adding that it is an almost identical clone of the ‘GoldenEye’ ransomware family. “Just like Petya, GoldenEye encrypts the the entire hard disk drive and denies the user access to the computer,” explained Bogdan Botezatu, senior e-threat analyst at Bitdefender, in a blog post. “However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.”


“After the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid,” Botezatu added.

He said that it was likely the ransomware is spreading through a “wormable exploit” - cybersecurity lingo for a program that can spread automatically across a network without the need for human interaction. Worms are particularly feared because they can spread rapidly, like an extremely contagious cold.

The world is still recovering from a previous outbreak of ransomware, called WannaCry or WannaCrypt, which spread rapidly using digital break-in tools originally created by the U.S. National Security Agency and recently leaked to the web. WannaCry affected over 300,000 computers worldwide.


Symantec Security Response reports that the latest round of ransomware hitting Europe is also harnessing the same Windows exploit. “Symantec analysts have confirmed #Petya #ransomware, like #WannaCry, is using #EternalBlue exploit to spread,” it tweeted.

“Eternal Blue was developed by the United States' National Security Agency for the purpose of infecting the computers of those it wished to spy upon,” wrote security expert Graham Cluley, in a blog post Tuesday. “Eternal Blue was a key part of how the WannaCry ransomware spread so quickly earlier this year, and *has* now been patched by Microsoft for some months. Clearly, however, many organisations have still failed to put those security patches in place.”

“This is an illustration of the problems associated with old, insecure systems remaining in use,” said Shape Security CTO Shuman Ghosemajumder, in a statement emailed to Fox News. “Last month's WannaCry did not affect Windows computers for which Microsoft previously issued a patch, but unpatched versions (particularly Windows 7 and XP versions) were vulnerable. Windows XP is technically no longer supported by Microsoft, but they took the extraordinary step of issuing a new patch in May after WannaCry came out, to help prevent further infections. However, it is safe to say that many Windows XP users have still not patched their systems.

The Associated Press contributed to this article.

Follow James Rogers on Twitter @jamesjrogers