Petya ransomware slams Windows PCs shut in massive attack

The cyberattack is moving quickly, locking down systems at an alarming rate.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Watch this: Nasty Petya ransomware spreading fast

Another widespread ransomware attack is threatening to wreak havoc across the world. 

Businesses and government agencies have been hit with a variation of the Petya ransomware -- that is, malware that holds crucial files hostage. The malware is demanding $300 in bitcoin before victims can regain access.

The new ransomware, identified by security firm Bitdefender as GoldenEye, has two layers of encryption, researchers said. It locks up both your files and your computer's file system.

"Just like Petya, it is particularly dangerous because it doesn't only encrypt files, it also encrypts the hard drive as well," said Bogdan Botezatu, a senior threat analyst with Bitdefender. 

The malware forces an infected PC to reboot as soon as it finishes encrypting files, so you'll see the ransom demands as soon as possible. Researchers at Recorded Future said there's also a hidden Trojan on Petya that steals victims' usernames and passwords. 

Enlarge Image

Researchers found a variant of the Petya ransomware called GoldenEye attacking systems around the world.


This is the second global ransomware attack in the last two months. It follows the WannaCry outbreak that ensnared more than 200,000 computers, locking up hospitals, banks and universities. Like WannaCry, the GoldenEye and Petya attacks affect only computers running the Windows operating systems.

Microsoft released patches for all Windows operating systems after the global outbreak, but people who've updated their computers could still be affected, according to Anomali, a threat intelligence company. That's because Petya can also spread through Office documents, taking advantage of yet another vulnerability and combining it with similar wormholes a la WannaCry.

More than 38 million computers scanned last week are still vulnerable to the ransomware attack because they have not patched their systems, according to data from Avast's Wi-Fi Inspector. 

"The actual number of vulnerable PCs is probably much higher," Jakub Krostek, Avast's Threat Lab Team lead, said. 

The difference between Petya and WannaCry is that Petya apparently does not have a kill-switch that could be accidentally triggered.

The hit list

Government agencies in Ukraine, along with financial firms, banks and a power distributor, got hit by the attack Tuesday morning. Russia's largest oil exporter, Rosneft, was also slammed with a cyberattack on its servers.  

More than half of the attacks occurred in Ukraine, according to Costin Raiu, director of global research at Kaspersky Lab. Tensions between Ukraine and Russia continue to boil over cyberattacks between the two neighboring nations.

Ukrainian Prime Minister Volodymyr Groysman called the attack "unprecedented," but also said crucial IT systems were unaffected by the malware. "Our IT experts are doing their work and protecting strategic infrastructure," Groysman said in a post on Facebook

Rosneft said the cyberattack did not affect its oil production because it had switched to a reserve control system.

US-based pharmaceuticals giant Merck said Tuesday that its computer network was  "compromised as part of [the] global hack."

A.P. Moller-Maersk, the world's largest shipping company, said it suffered a cyberattack that took down multiple IT systems. 

IT systems for WPP, one of the world's largest advertising agencies, also were affected by a cyberattack. DLA Piper, a law firm operating in more than 40 countries, said it had been hit with suspected malware as well.

Researchers from Symantec confirmed that the GoldenEye ransomware used EternalBlue, the NSA exploit that fueled WannaCry's spread. So far, more than $4,600 has been paid to the attackers' bitcoin wallet in 19 payments.

Security experts and government agencies recommend against paying ransomware, and GoldenEye is no different. The ransomware attackers behind Tuesday's attacks were using a Posteo email for victims to contact and pay the ransomware.

Posteo shut down the account before the ransomware spread, and is working with German police to figure out who set up the email address.

It's still unclear who's behind the Petya attacks. Researchers still have not found the hackers responsible for WannaCry, though the NSA has linked that attack to North Korea.

The source for Petya's ransomware code had been available on the dark web since April, and been used multiple times, giving the malware authors 15 percent of the profit, according to Avast.

Originally published June 27 at 8:14 a.m. PT.
Updated at 10:11 a.m. PT: Incorporated more details on the ransomware and who has been affected and at 11:40 a.m. PT: to include that the email address behind the ransomware has been shut down.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.

CNET en Español: Get all your tech news and reviews in Spanish.