Another Ransomware hit’s global markets.
New global crisis caused by a ransomware. A variant of Petya or GoldenEye has taken hostage thousands of posts in the world. In France, Saint-Gobain admits to being infected.
New hot shot in cybersecurity. In the middle of the afternoon, messages appeared on Twitter suggesting a campaign of infection by a ransomware as devastating as WannaCry. At the time of writing, the campaign is indeed massive and has claimed victims in Ukraine, Russia, Spain, Great Britain and also in France.
In the Hexagon, the group Saint-Gobain confirmed to have been hit today by a ransomware. A spokesperson for the industry group said that it had “isolated computer systems for safety reasons”, but was unable to say how this measure affected the company’s business. “The incident is being resolved”, says the company’s communications department. For each compromised PC, the hackers claim the equivalent of $300 of ransom, paid in Bitcoin.
At the present time, the other French companies who are victims of this infectious campaign are not yet known. But global companies such as the Maersk shipping carrier or the Russian oil tanker Rosneft have already confirmed they are affected.
“The alert came from users at noon”, says Gérôme Billois, senior manager in risk management and security at Wavestone. We are on levels of contamination of ransomware similar to those of WannaCry. At the moment hundreds of PCs are affected to our customers, but the tool of production seems spared to him. “Recall that WannaCry had for its part done a lot of damage on business or industrial applications, such as Renault or Deutsche Bahn.”
The Petya or GoldenEye hypothesis
The alert came a little earlier from Ukraine, where the central bank said that various banks and companies of the country (including the Kiev metro, postal services, main telecom operator and national energy distributor Ukrenergo) were targeted by an attack that disrupted their usual operation. Recall that Ukraine has been the target of several spectacular cyber attacks, two of which have been able to cause power outages (in December 2015 and December 2016). This time, the supply of electricity does not seem threatened.
According to various experts in cybersecurity, the current campaign would be orchestrated with a variant of Petya, a strain known since the beginning of 2016 and which has the peculiarity of encrypting the entire hard disk in order to hinder efforts to recover data from the victims. “Given the ransom demand screen that appears at restart, and which does not look like a Windows screen, the Petya hypothesis is for the moment most likely”, says Gérôme Billois.
According to the BitDefender editor, it is rather a variant of GoldenEye, a ransomware having the same functioning as Petya but for which there is no tool allowing a victim to find the keys with which his data were encrypted .
BitDefender explains that GoldenEye contains two layers of encryption: one that individually encrypts the target files on the computer and another that encrypts the entire NTFS file system. This prevents any attempt to start the hard drive taken hostage from another system.
The Sleeping Ransomware Hypothesis
It remains to be seen how the new threat is spreading. The massive nature of the infection suggests that the ransomware diffuses like a worm, like WannaCry, and no longer via infectious mails as did Locky or Cerber. According to Avira antivirus editor, the new strain would exploit, like WannaCry, the fault EternalBlue, affecting the service SMB of Windows. A vulnerability that Microsoft has fixed, including for systems that are no longer supported like Windows XP.
“The main question is how this malware managed to infect so many jobs in such a short time”, analyzes Gérôme Billois. Either the strain exploits EternalBlue to spread, but it would be a big surprise because, alerted by the crisis WannaCry, companies have massively corrected this fault. Either the threat passes through an unknown fault. Either we are dealing with a logic bomb programmed to trigger simultaneously all over the world. In short, a dormant malware, which, moreover, could very well exploit EternalBlue to spread before this vulnerability is filled .