The number of users attacked by the new ransomware virus, named by Kaspersky Lab as ExPetr, has reached 2,000 with the bulk of victims located in Russia and Ukraine, the antivirus program maker said on Wednesday in a statement.
“Cases were also registered in Poland, Italy, the U.K., Germany, France, the U.S., and other countries,” Kaspersky Lab said.
The company said the malware exploited several vectors of attack. “It was discovered that a modified exploit EternalBlue and the exploit EternalRomance were used to expand in corporate networks,” they said.
The virus demanded U.S.$300 in bitcoins and Kaspersky said that creators of the malware received about $2,700.
The encoder does not belong to the already known ransomware group Petya, although they share some code lines. “In this case, we’re speaking about a new family of malware with the functions significantly different from those of Petya’s,” Kaspersky Lab said.
A global ransomware attack hit IT systems of companies in several countries of the world on Tuesday. The assault targeted oil, power, telecom, and pharmaceutical firms.
Slovakia-headquartered antivirus maker ESET said that the ransomware virus was distributed via an update for accounting software M.E.Doc, which is widely used by Ukrainian companies and banks.
Some corporate users installed the M.E.Doc update with an embedded Trojan virus, which triggered the massive attack, as ESET said.
“Having a single vulnerable computer without an updated security software will suffice to infect a corporate network. The malware program will reach the network through it, get administrator rights, and spread to other devices,” the antivirus maker said.
The Russian central bank registered malware receipt cases by banks although consequences of the global attack were eliminated on Tuesday.
“According to the information of the central bank, isolated cases of infection were registered. Consequences of these incidents were quickly mended. However, cases of malware receipt have been seen until now,” the regulator said in a statement.
Central bank’s FinCERT, the body that gathers information on hacker attacks and provides recommendations, is analyzing the attack and will advise banks on further steps.