Kaspersky Lab: new ransomware attack 'likely to grow even more'

Kaspersky Lab said Wednesday that the new ransomware attack that started a day ago "is likely to grow even more."

In an updated blog posting, the multinational cybersecurity and anti-virus services provider said its experts concluded that the new malware is significantly different from all earlier known versions of Petya, a family of encrypting ransomware that was first discovered in 2016.

Petya targets Microsoft Windows-based software systems, infecting the master boot record to execute a payload that encrypts the file table with the New Technology File System (NTFS) format, which is used by current Windows versions for storing and retrieving files on a hard disk or other data storage devices, demanding a payment in Bitcoin in order to regain access to the system.

Unofficially, the author of the posting noted, "we've named it ExPetr or NotPetya."

"The attack appears to be complex, involving several attack vectors," according to the posting. "We can confirm that a modified EternalBlue exploit is used for propagation, at least within corporate networks."

EternalBlue, generally believed to have been developed by the U.S. National Security Agency (NSA) to exploit a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol, was made available on the internet by the Shadow Brokers hacker group on April 14.

Although it was patched by Microsoft on March 14, EternalBlue was used as part of the worldwide WannaCry ransomware attack on May 12.

As in the WannaCry case, the attacker behind the new ransomware tried to extort payment equivalent to 300 U.S. dollars in Bitcoin, a cryptocurrency, from its victims for what the attacker called a "decryption key."

However, notifying it does not advocate paying the ransom, Kaspersky Lab said German email service provider Posteo has already shut down the email address that victims were supposed to use to contact blackmailers and send Bitcoins, and from which they would receive decryption keys; therefore, with the email address blocked, victims won't be able to pay the criminals or get their files back.

While the cybercriminals behind the new ransomware target mostly big enterprises, and home users seem to be less affected by the threat, Kaspersky Lab recommends its customers to back up data, manually update the antivirus databases and install all security updates for Windows.