northeastern university seal

On June 27, companies around the world began reporting that their computer systems had been breached by a ransomware attack known at the NotPetya virus. The virus works by locking down the hard drives of infected computers and demanding a $300 ransom in Bitcoins, an electronic currency that allows for anonymous transactions. About 12,500 machines running older versions of Windows in the Ukraine were initially targeted but the malware quickly spread to infect companies from over 64 countries. At least 45 people have paid to have their computers unlocked. The variety of organizations and systems that have been hit range from large international businesses including Russian energy company Rosneft and Danish shipping company Maersk, to the metro system in Kiev, and the monitoring system of Chernobyl’s nuclear power plant. The impact on Maersk shipping, who handles one in seven containers worldwide, has been especially severe, with ports in Mumbai, Rotterdam, and LA experiencing disruptions; the company has also been unable to process orders, and its 76 terminals are experiencing increasing congestion.

aersk container ship at Gothenburg Port (Wikimedia/Marcusroos)
Maersk container ship at Gothenburg Port (Wikimedia/Marcusroos)

The NotPetya ransomware attack has been reported at a broad range of companies throughout Europe, Asia, and the United States. It appears that the attack is designed to target companies and organizations’ computer systems over individual users. The top three sectors attacked were: Finance – 30% of attacks, Oil & Gas – slightly more than 25%, and manufacturing – slightly less than 25%. These attacks pose a large threat critical infrastructure and industrial companies because they can undermine process controls and automation systems, and potentially place lives at risk. About 60% of attacks are estimated to have occurred in Ukraine, and 30% of attacks have occurred in Russia. As seen in the Maersk breach, the virus has demonstrated the potential to delay shipments, causing economic damage and logistical nightmares for supply chain systems.

Security experts suspect that this is a new variant of a previously known Petya ransomware, spread using the “Eternal Blue” windows vulnerability that was discovered and used as a hacking tool by the NSA, prior to being leaked to the public. The malware is thought to have originated with a Ukrainian tax-filing software MEDoc, with the software’s update system having been compromised to download and run malware instead of the actual update. Kapersky researchers refer to it as “NotPetya.” Malware experts have reached a consensus that NotPetya is a “wiper” designed to inflict permanent damage, as opposed to traditional ransomware designed to extract profit; users who paid were unable to recover their files. Matthieu Suiche, founder of Comaelo Technologies argues that this was an attempt to control the media narrative behind the attack, and redirect attention toward hacking groups and away from potential nation states.

Sources and Further Reading

  1. More than 50% of organizations attacked by ExPetr (Petya) cryptolocker are industrial companies – Kapersky Lab
  2. More than half of major malware attack’s victims are industrial targets – TechCrunch
  3. Crime Group Behind ‘Petya’ Ransomware Resurfaces to Distance Itself From This Week’s Global Cyberattacks – Gizmodo
  4. Global cyberattack: What you need to know – CNN
  5. Global Ransomware Attack: What we know and Don’t Know – New York Times
  6. Global businesses dig out from latest cyber-attack – Reuters
  7. Tax software blamed for cyber-attack – BBC