A new ransomware outbreak similar to WCry is shutting down computers worldwide

by
Dan Goodin
from Ars Technica - All content on (#2V2XJ)
PetyaWrap.jpg

Enlarge / The note left on computers infected by quick-spreading malware dubbed PetyaWrap. (credit: Symantec)

A new ransomware attack similar to last month's self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.

PetyaWrap, as some researchers are calling the ransomware, uses a cocktail of potent techniques to break into a network and from there spread from computer to computer. Like the WCry worm that paralyzed hospitals, shipping companies and train stations around the globe, Tuesday's attack made use of EternalBlue, the code name for an advanced exploit that was developed and used by, and later stolen from, the National Security Agency. According to a blog post published by antivirus provider Kaspersky Lab, Tuesday's attack also repurposed a separate NSA exploit dubbed EternalRomance. Microsoft patched the underlying vulnerabilities for both those exploits in March, precisely four weeks before a still-unknown group calling itself the Shadow Brokers published the advanced NSA hacking tools. The leak gave people with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead to systems that had yet to install the updates.

Besides use of EternalRomance, Tuesday's attack showed several other impressive improvements over WCry. One, according to Kaspersky, was the use of the Mimikatz hacking tool, PSExec and several other command-line utilities that extracted passwords from other computers on a network. Infected computers would then use the credentials to infect other machines, even when they weren't vulnerable to the EternalBlue and EternalRomance exploits. For added effectiveness, at least some of the attacks also exploited he update mechanism of a third-party Ukrainian software product called MeDoc.

Read 12 remaining paragraphs | Comments

index?i=rSxwVM9s5a0:VCTqhSc1ras:V_sGLiPB index?i=rSxwVM9s5a0:VCTqhSc1ras:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments