Home / News

Petya Ransomware Spreading Rapidly Worldwide, Effecting Banks, Telecom, Businesses, Power Companies

Supermarket ‘Rost’ in Kharkiv, East Ukraine – all the payment terminals appear to have been hit by the Petya ransomeware. (Photo posted on Twitter this morning by Mikhail Golub / @golub)

A large scale ransomware attack today is spreading rapidly worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins. Multiple sources are reporting that this variant of Petya ransomeware, also known as Petwrap, is using the WannaCry vulnerability that had infected close to 300,000 systems and servers worldwide last month. Swati Khandelwal reporting in The Hacker News: “Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore. Posteo, the German email provider, has suspended the email address i.e. [email protected], which was used by the criminals to communicate with victims after getting the ransom to send the decryption keys. At the time of writing, 23 victims have paid in Bitcoin to ‘1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX’ address for decrypting their files infected by Petya, which total roughly $6775.”

“Petya ransomware has already infected Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, Kyivenergo and Ukrenergo, in the past few hours. ... There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks.” –The Hacker News

Ukrainian government departments, the central bank, a state-run aircraft manufacturer, the airport in Kiev and the metro network are all struck by the attack which started spreading across Europe earlier today. Tweet from Presidential Administration of Ukraine sent out a few hours ago

Brad Duncan from The Internet Storm Center, Examining the new Petya variant: “Petya is a ransomware family that works by modifying the infected Windows system’s Master Boot Record (MBR).  Using rundll32.exe with #1 as the DLL entry point, I was able to infect hosts in my lab with the above two DLL samples.  The reboot didn’t occur right away.  However, when it did, my infected host did a CHKDSK after rebooting. After CHKDSK finished, the infected Windows host’s modified MBR prevented Windows from loading.  Instead, the infected host displayed a ransom message.”

One of the largest health networks in western Pennsylvania, Heritage Valley Health System reports “cyber security incident” has affected all operations at its two hospitals and 18 satellite centers but has not yet confirmed whether the incident is linked to the Petya ransomware.

DLA Piper Victim of Massive Malware Attack: “The global law firm DLA Piper fell victim on Tuesday to a widespread cyber attack, which reportedly disabled networks at dozens of companies. By midday, the firm posted a statement on its website, which remained functional, confirming it suffered a malware attack.” Bloomberg Law / 27 Jun 2017, 1:19 PM

“Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit should patch now.” Brian Krebs writes: “However, there are indications that Petya may have other tricks up its sleeve to spread inside of large networks. Russian security firm Group-IB reports that Petya bundles a tool called ‘LSADump,’ which can gather passwords and credential data from Windows computers and domain controllers on the network.”

A.P. Moller-Maersk, the transport and logistics company, has confirmed that its IT systems are down across multiple sites and business units. This has affected various operations including India’s largest container port JNPT. The company has stated that AP Moller-Maersk, one of the affected entities globally, operates the Gateway Terminals India (GTI) at JNPT, which has a capacity to handle 1.8 million standard container units. 27 Jun 2017, 1:40 PM

Hackers behind today’s massive ransomware outbreak can’t get emails from victims who paid. “A German email provider has closed the account of a hacker behind the new ransomware outbreak, meaning victims can’t get decryption keys. ... email company the hacker happened to use, Posteo, says it has decided to block the attacker’s account, leaving victims with no obvious way to unlock their files.” Joseph Cox reporting in Motherboard / 27 Jun 2017, 1:46 PM

Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software. Catalin Cimpanu, reporting in BleepingComputer: “Today’s massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. ... The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory ... Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe, M.E.Doc denied on Facebook its servers ever served any malware.”

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC