The WannaCry ransomware attack became a worldwide problem a few weeks ago, with more than 700,000 machines infected and numerous organizations held hostage. One of the most important lessons to derive from the attack’s severity and its widespread impact was that it involved a vulnerability that was already patched in current versions of Windows.
That means that anyone running a fully updated, current version of Windows was protected against this particular attack. And now, the same vulnerability is being reported at the center of a new global ransomware attack, security specialist Graham Cluley reports.
The newest attack appears to be based on the Petya or Petrwap malware that is based on the same Eternal Blue exploit that was created by the National Security Agency (NSA) and that was involved with WannaCry. That exploit was patched by Microsoft in March on systems dating from Windows XP and later, even though older versions like XP and Windows Vista are no longer supported even for security patches.
— Security Response (@threatintel) June 27, 2017
That means that anyone who is infected by the newest attack is running either a very old and unpatched version of Windows or a newer version that is not been updated with the latest security patches. Apparently, according to Reuters and other news outlets, this includes a variety of organization including a bank and a shipping company, among others.
The text that the new ransomware displays outlines the nature of the attack quite clearly:
“Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.
We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key.”
As Ukraine’s Deputy Prime Minister Pavlo Rozenko tweeted, the attack begins with a thorough encryption process that comes across as oddly considerate of a user “inadvertently” losing data by shutting off the affected PC:
Та-дам! Секретаріат КМУ по ходу теж "обвалили". Мережа лежить. pic.twitter.com/B74jMsT0qs
— Rozenko Pavlo (@RozenkoPavlo) June 27, 2017
According to Ars Technica, there are even unconfirmed reports that fully patched machines are suffering from the attack. If true, then that would make it different from WannaCry in terms of who is affected. However, the payment is a similar $300 in Bitcoin, and the new attack also goes a step further in also stealing credentials that are stored on the affected machine.
There are still many uncertainties around this latest attack, but a few things remain certain. First, you should have a good backup system in place, including maintaining an offline backup of your important files that can’t be touched by malware such as this. Second, you should ensure that all of your machines are running supported operating systems that are fully up to date on all security patches.
While this new ransomware might end up being something completely new and it might affect fully patched systems, those two steps remain important advice to follow.