Stolen NSA tool behind another global ransomware attack

Cyberattack, financial services

One of the exploits allegedly stolen from the National Security Agency and leaked by the mysterious TheShadowBrokers entity is behind another global ransomware attack affecting banks, power companies and shipping giant Maersk, according to cybersecurity researchers.

The "Petya" ransomware has hit Europe primarily, and Ukraine appears to be getting the worst of it so far. The state power distributor, banks and Chernobyl's radiation monitoring system have all been affected.

Like WannaCry, once Petya enters a device, it spreads like a worm through entire networks looking for other vulnerable devices. But experts say the code is more sophisticated than WannaCry.

"Petya is a ransomware family that works by modifying the Window's system's Master Boot Record (MBR), causing the system to crash," Rick Howard wrote on Palo Alto's Unit 42 blog "When the user reboots their PC, the modified MBR prevents Windows from loading and instead displays an ASCII Ransom note demanding payment from the victim."

The ransom demand is $300 in Bitcoin.

"Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm," continues the blog post. "The WannaCry attacks in May 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received."

In March, Microsoft issued a patch that protects against the EternalBlue exploit used in the WannaCry and now the Petya attacks. In addition, disabling the Microsoft Server Message Block protocol also protected devices from WannaCry.

"It appears that many companies may have put off patching, instead relying on a signature to detect and prevent the malware from executing," Curt Dukes, former head of information assurance at the NSA, told FCW by email.

"Unfortunately, the adversary re-purposed the malware, perhaps changing the signature (detection capability), and replayed the attack," he added, saying that it is unclear whether or not the Microsoft patch is ineffective in this case.  "It's also possible that the adversary looked closely at the [Microsoft Service Message Block] component and found another vulnerability that evades the patch."

F-Secure Chief Researcher Mikko Hypponen tweeted that patched systems are vulnerable because "Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC."

Dukes, who is now executive vice president at the Center for Internet Security, said the sophistication of the new ransomware suggests an organization with the development budget to be able to weaponize the EternalBlue exploit.

He added that organizations that were not affected by WannaCry are not necessarily immune from Petya.

"Security staff should always assume the developer, or other criminal elements will learn from defensive measures that have been implemented and come at them again," said Dukes. "It appears that the criminal element has removed many/most of the shortcomings with WannaCry into a new piece of malware."

Department of Homeland Security spokesperson Scott McConnell said DHS is monitoring the attack and "is coordinating with our international and domestic cyber partners.  We stand ready to support any requests for assistance."

The Department of Defense said it is also tracking the ransomware, but officials would not comment on whether its devices have been patched or if any of its systems have been affected.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.