kaptn - Fotolia

Another global ransomware attack underway as reports of Petya exploit spread

Latest cyber attack appears to be based on the same EternalBlue exploit used by the WannaCry ransomware that hit the NHS in May

Another major ransomware outbreak is taking place around the globe, with organisations in Europe and the UK already affected.

The new ransomware was initially reported as Petya, which, according to Symantec, is based on the same EternalBlue exploit used by the WannaCry attack that hit the NHS last month. Later reports from researchers at Kaspersky Lab, however, suggested that it may not be a variant of Petya, but confirmed it is based on EternalBlue.

"This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network," said Kaspersky in a tweet.

Kaspersky suggested that 2,000 users had been attacked as of approximately 6.00pm on 27 June, with indications of organisations affected in Russia, Ukraine, Poland, Italy, UK, Germany, France and the US, among others.

Firms in Ukraine were among the first to report issues, while UK advertising agency WPP has also reported problems. Shipping company Maersk said on Twitter that IT systems in the UK and elsewhere have been affected.

“We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack. We continue to assess the situation. The safety of our employees, our operations and customers’ business is our top priority. We will update when we have more information,” the company said in a tweet.

The UK’s National Cyber Security Centre (NCSC) also confirmed it was looking into the attack. “We are aware of a global ransomware incident and are monitoring the situation closely,” said an NCSC spokesperson. “The NCSC website provides advice to the public and business on how to protect your digital systems.”

EternalBlue targets a known vulnerability in the server message block protocol in Microsoft Windows. It is believed the exploit was developed by the US National Security Agency (NSA) and then released by the hacking group Shadow Brokers who claim to have stolen it from the NSA. Microsoft has since issued a patch for the vulnerability. 

“Symantec analysts have confirmed Petya ransomware, like WannaCry, is using EternalBlue exploit to spread,” said the Symantec security response team in a tweet.

The WannaCry ransomware attack that shut down NHS hospital services in the UK and spread across 150 countries was also based on EternalBlue. The new Petya attack follows a similar pattern of encrypting files and asking for payment of $300 in Bitcoin to release the computer.

Rob Wainwright, executive director of European Union crime agency Europol, said in a tweet: “We are urgently responding to reports of another major ransomware attack on businesses in Europe.”

Security experts are warning businesses that cyber attacks such as this are increasingly becoming the “new normal”.

“These public outings of large, high-profile attacks are becoming more frequent, faster-acting and more damaging.  Essentially, every organisation, regardless of size or industry, is vulnerable,” said Ross Brewer, European managing director at LogRhythm.

Jason Allaway, vice president UK and Ireland at RES, added: “Following the WannaCry attack, it was only a matter of time before we saw another major ransomware incident. As this attack continues to spread globally, firms in all industries need to tighten the hatches and ensure they have the processes in place to minimise the risk.”

Security researchers found that Windows 7 devices, particularly running the 64-bit edition, were the worst affected by last month's WannaCry attack and were responsible for its wide and fast spread.

Read more about ransomware

Read more on Hackers and cybercrime prevention