First Petya, now Ukrainian state power firm hit by second cyberattack 'similar to WannaCry'

Shortly after suffering a major cyberattack linked to Petya ransomware on Tuesday 27 June, beleaguered Ukrainian state power company Ukrenergo was targeted yet again by a second cyberattack two days later.

The attack on Thursday 29 June reportedly used a completely different strain of malware from Petya, the malicious piece of software that ripped through tens of thousands computers in the region before spreading across the world earlier this week.

"The virus was slightly different, of a different nature, similar to WannaCry," Ukrenergo's acting director Vsevolod Kovalchuk told a press conference on Friday 30 June, as reported by Reuters.

WannaCry was a ransomware which caused chaos in May across the British national healthcare system, before eventually infecting computers across 150 countries.

However, the multiple attacks indicate hackers remain highly interested in targeting Ukraine's critical infrastructure. Indeed, on the day of the second Ukrenergo incident, a researcher known as MalwareHunterTeam found evidence that a "WannaCry clone" was active in Ukraine.

Ransomware spread like wildfire

On 27 June, Windows computers in Ukrainian banks, business, airports and government departments were hit by an infectious ransomware which encrypted hard drives and demanded $300 worth of bitcoin, a cryptocurrency, for their return.

The variant of Petya, it emerged, was super-charged by two exploits stolen from the US National Security Agency (NSA) titled EternalBlue and EternalRomance. Microsoft, after conducting analysis of the ransomware, reported that it boasted a slew of sophisticated capabilities.

During the Friday press conference, Kovalchuk said evidence suggested the initial Petya infection was caused by a software update. This matches findings of numerous cybersecurity experts, who discovered a widely-used accounting software called Medoc had been hacked to spread the virus.

Researchers now believe the hackers never intended to make money.

No luck in decrypting files

One expert, Matthieu Suiche, found Petya's internal code contained "disk wiping" capabilities which meant it was purposely designed to destroy computers. Russian cybersecurity firm Kaspersky Lab found it lacked the ability to decrypt victims' files.

This is not the first time Ukraine has been targeted in a major cyberattack. In December 2015, a separate power firm suffered a blackout that cut the electricity of more than 200,000 citizens for several hours. Law enforcement found that hackers – possibly of the nation state variety – had tampered with its systems.

Ukraine was the most impacted country in the latest Petya ransomware attack. This has resulted in speculation that Russia may be responsible for the outages. The investigation is ongoing, with the FBI and its British equivalent, the National Crime Agency (NSA), now involved.

IBTimes UK put together a step-by-step guide on how to help stay protected from Petya.