While the ransomware attack that is in the headlines at the moment has been linked to the Petya ransomware, emerging evidence is pointing to the attack being based on a new type of ransomware, which may be being used as a probe for a future more aggressive attack.
Kaspersky Lab analysts have investigated the ransomware and preliminary findings suggest that it is not a variant of Petya. While it has several strings similar to Petya, it possesses entirely different functionality. Kaspersky Lab has named the new ransomware as ‘ExPetr’.
Fortinet’s security research team, FortiGuard Labs is calling the ransomware a new Petya variant and believes that this attack may mainly be a test for delivering future attacks targeted at newly disclosed vulnerabilities. FortiGuard Labs says that in spite of the highly publicised disclosure of the Microsoft vulnerabilities and patches following WannaCry, there are still countless organizations, including those managing critical infrastructure, that have failed to patch their devices.
An interesting aspect of the current attack according to FortiGuard Labs, is that once a vulnerable device has been targeted, the ransomware appears to impair the Master Boot Record (MBR) during the infection cycle. With most ransomware attacks the only potential loss is data. Because the new Petya variant alters the Master Boot Record, the risk is the loss of the entire system. In addition, it initiates a reboot of the system on a one-hour cycle, adding an additional denial of service element to the attack.
Extent of the current outbreak
Kaspersky Lab’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and attacks have also been registered in Poland, Italy, the UK, Germany, France, the US and several other countries.
