Like earlier ransomware worm, new attacks use potent exploit stolen from the NSA.

A new ransomware attack similar to last month's self-replicating WCry outbreak is sweeping the world with at least 80 large companies infected, reportedly including drug maker Merck, international shipping company Maersk, law firm DLA Piper, UK advertising firm WPP, and snack food maker Mondelez International. It has attacked at least 12,000 computers, according to one security company.

PetyaWrap, as some researchers are calling the ransomware, uses the same potent National Security Agency exploit that allowed WCry to paralyze hospitals, shipping companies, and train stations in a matter of hours on May 12. EternalBlue, as the exploit was code-named by its NSA developers, was published in April by a still-unknown group calling itself the Shadow Brokers. The leak gave people with only moderate technical skills a powerful vehicle for delivering virtually any kind of digital warhead. Microsoft patched the underlying vulnerability in Windows 7 and 8.1 in March, and in a rare move the company issued fixes for unsupported Windows versions 24 hours after the WCry outbreak. That meant infections were only possible on machines that were running outdated versions of the OS.
News organizations reported potentially serious disruptions around the world. One photograph published by Reuters showed an ATM at a branch of Ukraine's state-owned Oschadbank that was inoperable. A message displayed on the screen demanded a payment to unlock it. Reuters also reported that a computer attack that hit Maersk, a shipping company that handles one in seven of all containers globally, caused outages at all of its computer systems across the world. IT systems in multiple sites and business units remained down, but company officials didn't say how the outages were affecting operations. AV provider Avast said it detected 12,000 attacks so far.

As quick-spreading as WCry was, its virulence was largely checked by a series of errors made by its developers. One of the biggest mistakes was the hard-coding of a killswitch into the WCry attack. A quick-acting researcher was able to largely stop the run-away attack when he registered a domain name that triggered the emergency off switch. As Tuesday's attack continued to gain momentum, some researchers said they were concerned there would be no similarly easy way to contain the damage.

"WannaCry had all kinds of stupid bugs and issues (hi killswitch)," researcher Kevin Beaumont wrote on Twitter. "This has no killswitch, and it looks like they had a development budget."

There are also unconfirmed reports that infections worked against a fully-patched computer running Windows 10, by far Microsoft's most secure OS, which was never vulnerable to EternalBlue. What's more, according to the unconfirmed report, the computer was using up-to-date AV protection and had disabled the SMBv1 file-sharing protocol that EternalBlue exploits.

The malware attack, according to researchers at AV provider F-Secure, uses a modified version of EternalBlue. There are also unconfirmed reports that it may make use of booby-trapped Microsoft Excel documents attached to phishing e-mails. Researchers from AV provider Eset said in an e-mail that the malware also used the PSExec command-line tool. The precise relationship among the various infection methods isn't yet clear. Eset said it appears the attacks use EternalBlue to get inside a network and then use PSExec to spread from machine to machine. "This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines, and hopefully most vulnerabilities have been patched," an Eset researcher told Ars. "It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers."

Ransomware and credential stealer together

According to researchers at Recorded Future, Tuesday's attacks appear to deliver two payloads. One appears to be the new version of the Petya ransomware package. Tuesday's version, which some researchers have started calling PetyaWrap, holds data hostage until users pay $300 in Bitcoins. The other payload is an information stealer that extracts usernames and passwords from victim computers and sends the data to a server controlled by the attackers. That would mean that while an infected computer has been rendered inoperable by the ransomware, the attackers would already have access to potentially high-value credentials that were stored on the machine. While researchers from Recorded Future and many other firms said PetyaWrap was a new version of the long-established Petya ransomware, researchers from antivirus provider Kaspersky Lab said that preliminary findings showed it was, in fact, a new piece of malware that had never been seen before.

Researchers with AV provider Eset said in a blog post that unlike many ransomware packages, PetyaWrap doesn't encrypt individual files. Instead the encryption is aimed at a computer's entire file system. The ransomware targets the computer's master boot record, which is a crucial piece of data that allows a computer to locate its operating system and other key components.

Tuesday's attack spread widely almost immediately. It initially took hold in Ukraine, but soon it reportedly spread to Spain, France, Russia, and the United States. WPP, the British ad company, said on Twitter that some of its IT systems were hit by a cyber attack. Its website remained unreachable as this post was going live. Meanwhile, Reuters reported that Ukrainian state power distributor Ukrenergo said its IT systems were also hit by a cyber attack but that the disruption had no impact on power supplies or broader operations.

Others hit, according to Bloomberg, included Ukrainian delivery network Nova Poshta, which halted service to clients after its network was infected. Bloomberg also said Ukraine's Central Bank warned on its website that several banks had been targeted by hackers. Security company Group-IB said at least 80 companies have been infected so far.

The rapid spread mimics the WCry outbreak, which within about 12 hours infected more than 727,000 computers in 90 countries. WCry was designed to be a worm, meaning once it infected a computer it could spread to other connected computers without requiring any user interaction. It is not yet clear if PetyaWrap has the same self-replicating ability. The number of organizations that have been disrupted would suggest that it does.