[Update on 30 June 2017, 4.30 pm (GMT +08:00) Latest findings from Kaspersky Lab and Comae Technologies suggest that this new malware is a wiper disguising as ransomware. More on that here: Wiper, not ransomware, behind recent cyberattacks, security experts say]
Only a month after the WannaCry incident, which affected thousand organisations worldwide, a new ransomware attack is now creating ripples in the cybersecurity sector.
According to Symantec, the ransomware is initially seeded in a tax and accounting software package, called MEDoc, which is widely used in organisations in Ukraine. The virus then uses various methods to spread across corporate networks.
Similar to WannaCry, the new ransomware uses the Eternal Blue exploit to infect Windows systems that have not patched the server message block (SMB) vulnerability.
Besides that, the new ransomware also tries to copies itself and a copy of psexec.exe to the ADMIN$ folder of the remote machine. The virus will then attempt to remotely start and run the psexec.exe as a service, McAfee detailed.
Perpetrators also attempt to use the Windows Management Instrumentation Command-line (WMIC) to install the virus using stolen credentials. The malware will then drop the psexec.exe to the local system and another .EXE to the %TEMP% folder. McAfee said this binary is a modified version a password dump tool that is used in Mimikatz or LSADump.
The new malware, unlike typical ransomware, does not only encrypt files but also encrypts the Master File Tree (MFT) tables for NTFS partitions and overrides the master boot record (MBR), which prevent infected computers to boot up.
"This means that the computer is compromised even before Windows can be loaded," according to Acronis. The infected PCs will only show a ransom note that demands victims to pay US$300 in bitcoins for decrypting keys that would allegedly unlock their systems.
However, ESET said paying the ransom is no longer possible as the e-mail to send the bitcoin wallet IT and personal installation key has been shut down by the provider.
What is the real identity of the new ransomware?
There are still debates around the identity of the new ransomware, and cybersecurity companies said they are still examining the virus.
Initially, ESET, McAfee, Symantec, Irdeto, and SophosLabs linked the cyberattacks to the Petya ransomware or its variant (eg. GoldenEye). However, some firms such as LogRhythm and Kaspersky Lab said the attacks were caused by a malware that is not related or a variant of Petya, and thus they called it NotPetya.
Regardless of its identity, the new ransomware has already affected around 2,000 users worldwide, according to Kaspersky Lab's telemetry data. Organisations in Russia and Ukraine were found to be most affected by the malware.
Sign up for CIO Asia eNewsletters.