Wednesday, June 28, 2017

Ransomware Affecting APM Terminals

27 June 2017, According to open source reporting, numerous high-profile organizations have released statements stating that they are affected by a SMB exploit. Merck & Co, Rosneft, Boryspil International Airport, Antonov State Company, Ukrenergo, and WPP are among victim companies. The Maersk Group, on behalf of their subsidiary APM Terminals, confirmed infections in APM facilities. At the time of this report, the bitcoin (BTC) wallet associated with the ransomware has thirty-one (31) received payments totaling 3.27744736 BTC ($7908.12 USD). Maersk has issued the following statement: “We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.” Open source reporting has confirmed that ports in Rotterdam, NL and Mobile, Alabama, US are affected and currently closed until network systems are restored. It is probable that all ports with APM facilities are affected due to the malware’s multiple lateral movement capabilities. PetrWrap ransomware is being spread using the EternalBlue SMB exploit. The malware will also leverage Windows Management Instrumentation Command-line (WMIC) and PsExec to spread internally across a network.

Wapack Labs has cataloged and reported extensively on maritime vulnerabilities and ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.