Initial infections made it seem like Ukrainian companies and government systems were the main victims, but subsequent discoveries showed that the attack was not limited to that country.
According to the BBC, the list of confirmed victims includes:
- British advertising agency WPP
- Russian oil producer Rosneft
- Danish shipping company Maersk
- Multinational law firm legal firm DLA Piper
- Multinational food giant Mondelez International.
Among the Ukrainian victims are state power company Ukrenergo, Kiev airport, Oschadbank, and possibly the Kiev metro system and a number of petrol station chains. Ukraine’s deputy prime minister Rozenko Pavlo shared on Twitter a picture that seems to indicate that government systems have also been affected.
Та-дам! Секретаріат КМУ по ходу теж “обвалили”. Мережа лежить. http://pic.twitter.com/B74jMsT0qs
— Rozenko Pavlo (@RozenkoPavlo) June 27, 2017
“This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in the Ukraine,” Allan Liska, Intelligence Architect, Recorded Future told Help Net Security.
“The payload of the phishing attack is an updated version of the Petya ransomware (older version of Petya are well-known for their viciousness, rather than encrypt select files Petya overwrote the master boot record on the victim machine, making it completely inoperable). There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit which would explain why it is spreading so quickly.”
He noted that their threat intelligence indicated that there are also US victims, and that there are also reports that the payload includes a variant of Loki Bot banking Trojan. This could mean the attackers are also planning to steal valuable information during the confusion.
F-Secure CTO Mikko Hypponen also says that this new Petya variant is using the NSA EternalBlue exploit to spread, and Symantec confirmed it. Security architect Kevin Beaumont noted that he can also see PsExec, a Microsoft sysinternal tool, being used for spreading.
The attackers are asking for $300 in Bitcoin to be paid in order for the victims to get the means to get their systems back.