Petya / BEC

New ransomware spreads from Ukraine

Some time ago WannaCry attacks caused international attention. Now numerous reports are coming out on social media about new ransomware attacks. The attacks already hit enterprises all over the world.

After the WannaCry attacks led to a lot of failures in companies and high damages, a new Trojan now seems to be making its way to many networks. The virus seems to be spreading from Ukraine.


This is how Petya works

Unlike other crypto trojans, Petya does not encrypt individual files, but the whole file system. The virus accesses the MBR (master boot record), which is responsible for loading the operating system after computer startup.


“It seems to be a combination of an SMB exploit (EternalBlue), also used by WannaCry. This gives them access to the network, where they spread through PsExec”, explains ESET researcher Robert Lipovsky.
This dangerous combination can be the reason why the Ransomware outbreak occurs so quickly and globally. It only takes one unpatched PC to get into a network. With administrative rights the ransomware spreads to all other computers in the network.

More and more companies affected

A tweet by the journalist Christian Bory claims that the Cyberattack “allegedly” goes against banks, electricity networks and postal companies. The government also became a victim of the attack.


The Ukrainian National Bank informs the visitors of their website about ransomware attacks on other banks. It says: “At the moment the financial sector has strengthened the security measures to counter the hacker attacks on many financial market participants.

Reuters also confirmed a security incident at Ukrenergo, a Ukrainian energy supplier. A spokesman explained that “there is no impact on the power supply”. However, it is still too early to judge this.

Virus spreads out

It seems as if the new Ransomware attack affects not only the Ukraine. The Independent also states that Spain and India were affected, as well as the Danish shipping company Maersk and the British advertising company WPP.


On the homepage of the British advertising company the following message is to be read: “The WPP website can not be reached by important routine maintenance.”

WPP has confirmed through Twitter that they have been victims of a cyber attack: “Our IT systems in several WPP companies were haunted by a suspected Cyberattack. We will take appropriate action and will be available as soon as possible. ”


Whether and how far the Trojan will spread still remains to be seen. It is certain that this new attack will also be a trap for many companies.

This article is based on a text by ESET, June 2017.

Quelle Titelbild: iStock / monsitj