'Petya' ransomware: All you need to know about the cyberattack and how to tell if you're at risk
- The "Petya" ransomware attack has so far hit over 12,000 machines in around 65 countries including the United States.
- It infects a network and then encrypts files on computers making them unusable, and demands that people pay $300 in bitcoin to unclock them.
- Major corporations such as WPP and Maersk have been hit.
The global ransomware attack that hit major corporations from shipping giant Maersk to the world's biggest advertiser WPP, has affected over 12,000 machines, with companies and security researchers scrambling to find a fix.
Ransomware is a malicious piece of software that locks files on a computer and demands payments to unlock them. The files on the computers are not accessible and are therefore useless.
What is 'Petya' ransomware?
The current attack appears to be carried out by a variant of malware known as Petya. It's a particular variation of Petya that some researchers have said they are seeing for the first time.
One security source, who preferred to remain anonymous because the investigation is in its early stages, told CNBC that many anti-virus programs didn't recognize it and were unable to stop it.
How does it work?
The ransomware locks the computer's master boot record which is key for the machine to locate where the operating system and files are. Locking this makes the computer more or less unusable.
It attacks networks through exploiting a security flaw in Microsoft's Windows operating system that was originally used by the National Security Agency (NSA) which was then leaked earlier this year. The vulnerability, known as EternalBlue, was leaked online earlier this year, and is being used by hackers. It is the same security flaw that the WannaCry attack earlier this year – which hit hundreds of thousands of users – was based on.
Another way this virus spreads is by getting the logins and passwords of users on a network, which allows it to spread and install on other machines.
Once the computer is infected, a message appears demanding $300 worth of bitcoin to unlock the encrypted files.
Where did it start?
Security researchers and Ukraine's cyber police are pointing fingers at MeDoc, a third-party accounting software product, used by many industries in Ukraine including financial institutions. MeDoc pushed out an update which was then compromised by hackers. When this was installed, computer networks got this malware.
In a post on Facebook, MeDoc denied the accusations and said this is "clearly erroneous".
Who has been hit?
Microsoft estimates over 12,000 machines have been hit by the cyberattack. According to security firm McAfee, the malware has spread across the U.S., large parts of Europe, South America, and big countries in Asia too.
Major corporations have also been affected including WPP, Maersk, Russian oil giant Rosneft, and public and private institutions in Ukraine. Some of those businesses responded on Wednesday.
WPP said that it has taken steps to contain the attack with the priority now to return to normal operations. Many of the businesses under the WPP brand were affected but they are "experiencing no or minimal disruption."
Maersk said that IT systems were down across multiple sites and some business units, but the issues have been contained. It is now working on a "technical recovery plan". The impact on the business is still being assessed.
Russia, which was one of the countries hit, said the cyberattack caused no serious problems at either a state or corporate level in the country.
Who did it?
Attribution is always difficult with cyberattacks and as of yet, no security researchers have found a culprit. This is likely to come over the next few days.
Are you at risk?
So far, major businesses have been attacked. You will know if you have been infected as a screen will appear demanding payment of $300 in bitcoin to unlock the file. Researchers have warned against paying the ransom because the email now associated with the hackers has been decommissioned, meaning even if you pay, there is no way to contact the criminals.
If your organization is running a vulnerable version of Windows that hasn't patched (updated with the latest fix) then your business could be at risk.
How to protect yourself?
Authorities in the U.S. and U.K. have issued guidelines in the past about how to protect against ransomware. Individuals and small businesses should:
- Run Windows Update to get the latest software updates.
- Make sure any anti-virus product is up to date and scan your computer for any malicious programs. It's also worth setting up regular auto-scans.
- Back up important data on your computer so it can be recovered if it's held for ransom.
Large organizations should:
- Apply the latest Microsoft security patches for this particular flaw.
- Back up key data.
- Scan all outgoing and incoming emails for malicious attachments.
- Ensure anti-virus programs are up to date and conducting regular scans.
- Make sure to run "penetration tests" against your network's security, no less than once a year, according to the Department of Homeland Security.