A new ransomware has hit the computers of several European and India companies. After getting affected by WannaCry ransomware about a month earlier, Petwrap, an advanced version of Petya ransomware has targeted the computer screens of various companies and enterprises.
Consumer, shipping, aviation and oil and gas companies were hit on Tuesday in the UK, Russia, France, Spain and elsewhere.
Petwrap, believed to be an advanced version of an old ransomware known as Petya, locked the computer screens of as many as 20 companies globally with $300 being demanded to free them up. Mondelez, Merck and Maersk were targeted by the ransomware on Tuesday, according to people aware of the matter. Indian subsidiaries of UK and Russia-based oil and gas, energy and aviation companies were also hit.
“Cyber-criminals are exploiting the fact that companies have very limited visibility behind their firewalls,” said Sahir Hidayatullah, CEO of Smokescreen Technologies, a cybersecurity company. “Coupled with the fact that ransomware attacks are easier to monetise, they are becoming the weapon of choice for the modern attacker. Of even greater concern is the growing number of highly-targeted ransomware campaigns that are significantly more damaging than mass spread attacks.”
Petwrap attacked some companies in the UK, Russia and Ukraine, with subsidiaries of these companies in India also impacted, said Amit Jaju, executive director, fraud investigation and dispute resolution (FIDS), EY India. “This ransomware looks like a strain of an older one called Petya,” he said. “The ransomware seems to be exploiting an old loophole and is demanding $300 per locked computer or laptop.”
Mondelez International spokesperson said: “The network is experiencing global IT outage. Our team is working to resolve the situation as quickly as possible.” “Our IT systems are down across multiple sites and business units,” Concepcion Boo Arias, spokesperson at Maersk, operator of the world’s largest container line told ETfrom company headquarters in Denmark. She did not comment on specific geographies including India yet.
Separately, Neeraj Bansal, deputy chairman of the Jawaharlal Nehru Port Trust also confirmed that operations at Gateway Terminals India, operated by Maersk Group-owned APM Terminals at the Mumbai-based port, has been impacted. “They are trying to do what they can manually. They have told us assessing the situation and trying to find a solution as soon as they can,” Bansal told ET.
Mahindra & Mahindra and Renault-Nissan confirmed they did not face any problem. Mars and Nivea are also among those attacked, according to media reports citing Group-IB, which deals with prevention and investigation of cyber crime. Also, French glassmaker Saint-Gobain and British media company WPP Plc said they were targeted. Interestingly, an Indian automobile company and a manufacturing company were targeted by another ransomware called Mamba on Tuesday morning. A forensic investigator involved in investigating the PetWrap and Mamba attacks said both may have exploited similar software loopholes.
It could not be immediately ascertained how many computers were infected by Petya. “This ransomware uses the Windows SMBV1vulnerability that Wanna-Cry had used,” said Sunny Vaghela, director, Tech Defence labs. Vaghela said the Trojan targets HR departments with emails that have subject lines reading CV, candidate folio, applicant profile etc. Once installed, it encrypts data and restarts the system. After this, the user gets a message asking for $300 to a Bitcoin account. He pointed out that India will face significant impact. “There is a need for endpoint security which will automatically detect such vulnerability and patch it. But a decryption key will soon be available in the market in the next few days,” Vaghela said.
Lucideus Tech CEO Saket Modi said it was not a targeted attack against any country or organisation. “Around 50% of organisations and individuals across India do not use a licensed version of Windows or anti-virus, so chances of this spreading are huge.” A Saint Gobain executive said on condition of anonymity: “The entire network has been shut down to prevent the attack. We closed down everything around 5:40 pm. But, I believe manufacturing will continue tomorrow.”