Massive ransomware attack is causing chaos in airports, banks and more worldwide

A massive ransomware attack – dubbed Petya – is causing havoc at airports, banks and many other institutions across Europe.

It remains unclear who is behind the attack, but Moscow-based security firm Group-IB told Reuters it appears to be a coordinated effort simultaneously targeting victims in Russia and Ukraine. The exact extent of the raid is yet to be determined, but some speculate it could be bigger than WannaCry.

While the attack seems to be more widely spread in Russia and Ukraine, it is also affecting companies in Denmark, Spain and the US.

So far several companies have reported experiencing issues, including Copenhagen-based shipping giant A.P. Moller-Maersk and Russia’s top oil producer Rosneft:

We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.

— Maersk (@Maersk) June 27, 2017

A massive hacker attack has hit the servers of the Company. We hope it has no relation to the ongoing court procedures.

— Rosneft (@RosneftEN) June 27, 2017

Global ransomware attack. #Petya

Harbour terminals
Airports
Electricity grids
Banks
Factory's
Offices
Insurance company's
Military
Etc pic.twitter.com/EvfDctWfkK

— Ntisec #NeoSlave (@ntisec) June 27, 2017

Director of Boryspyl Airport in Ukraine, Yevhen Dykhne, has since released a statement claiming that, “[i]n connection with the irregular situation, some flight delays are possible.”

“We kindly urge you to be understanding, keep calm,” he added. “Current information about the departure times can be found on the scoreboard in terminal.”

According to chatter in the Twitterverse, the attackers are seeking a ransom fee of $300 worth of Bitcoin from individuals, accompanied by a short message asking victims to send funds to a certain Bitcoin wallet ID in order to receive their installation key.

You can follow all transactions made to the attacker’s wallet ID by following this link, or check out the Twitter bot someone made to keep track of it. So far there has been about eight payments made, equaling to a little over 1 BTC (about $2,300).

F-Secure star researcher Mikko Hypponen has compiled a list of some of the files that Petya takes hostage.

The list includes popular formats like *.pdf, *.pptx, *.ppt, *.ova, *.php and many more. For the full list, check the tweet below:

Petya encrypts the following file types, demands a $300 ransom in Bitcoin. pic.twitter.com/9a3S2fwDtR

— Mikko Hypponen (@mikko) June 27, 2017

Update 11:35 am CST: Petya seems to be spreading as far as ATMs and supermarkets.

Petya on an ATM. Photo by REUTERS.https://t.co/fDQ0nGyQc6 pic.twitter.com/gT2xQP9wAo

— Mikko Hypponen (@mikko) June 27, 2017

Even Chernobyl has been effected by the attack. Our advice: stay away until this is fixed.

Chornobyl nuclear power plant has switched to manual radiation monitoring of site b/c cyberattack, says Exclusion Zone agency press service.

— Christopher Miller (@ChristopherJM) June 27, 2017

Global law firm DLA Piper resorted to non-digital means of spreading the news after it was hit by the attack:

A tipster sends along this photo taken outside DLA Piper's D.C. office around 10am. #Petya pic.twitter.com/HWS4UFlvQR

— Eric Geller (@ericgeller) June 27, 2017

Update 1:22 pm CST: Posteo, the email service used by the attackers, has blocked the account. It urges people effected not to pay the ransom, as the attackers no longer have access to the email address and even paying means you might not get your files back, at least not at the moment.

Update 7:22 AM CST, June 28: Cybersecurity researcher Amit Serper has discovered a nifty trick to vaccinate your system against Petya (or however you wish to call it.

100% certainty! Create a file called perfc with no extension in %windir%. And now I celebrate with friends! pic.twitter.com/JB03xab2BZ

— Amit Serper (@0xAmit) June 27, 2017

Catalin Cimpanu from Bleeping Computer has explained in more detail what steps you need to take to prevent Petya from infecting your computer here.