Latest: All About Petya

Uploaded on 2017-07-03 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Meet the sequel to WannaCry, the wide-ranging ransomware attack that crippled businesses around the globe in May. On Tuesday 27th June, another widespread ransomware attack began halting unprepared businesses in their tracks. 

The new attack uses the same method of propagation as WannaCry: A leaked hacking tool called Eternal Blue, which has been linked to the US National Security Agency.

One of the major differences between the two attacks is that the most recent event does not yet appear to be susceptible to a hardcoded "kill switch." That means it may prove harder to overcome.Security experts have been warning organisations that failed to apply security patches to their Microsoft Windows-based computer systems that it was only a matter of time before another digital siege surfaced. It seems their predictions have borne true.

A wave of ransomware attacks spread like wildfire on Tuesday 27th. Many Microsoft Windows-based computers, specifically, ones not protected against a vulnerability in a Microsoft messaging protocol called SMB-1, began seizing up worldwide, locking employees out of their desktops, and displaying ransom notes.

Unable to access their files and folders, workers and managers were greeted by on-screen demands for payment of $300 in Bitcoin, a digital currency often used by cyber extortionists because it's easy to send and hard to track.

Who has been affected?                                                                                                                                             The attack struck organisations in the US, Australia, Italy, Germany, Poland, Ukraine and Russia. Costin Raiu, director of global research at Russian security firm Kaspersky Labs, posted a bar graph on Twitter showing the geographic distribution of victims, according to what his firm could measure. (Kaspersky's customer base skews towards Russian-speaking countries, which might explain the spread.)

Some of the affected companies include Maersk, the Danish shipping giant, Rosneft, the Russian oil company, WPP, the British advertising agency, and Merck, the US pharmaceutical giant. There are reports that the attack has also affected banks, hospitals, governments, airports, and other organisations.
What is Petya? 

Petya is a familiar strain of ransomware security companies have been tracking at least since March of 2016. It had hitherto appeared mainly in targeted attacks. 

This time its spread has been fast and indiscriminate. Petya's code has been updated with worm functionality and the EternalBlue exploit the ShadowBrokers released on April 14, 2017. The ShadowBrokers claimed that EternalBlue was obtained from NSA (many, including Microsoft, agreed); their dump prompted widespread concern over zero-day inventories and the US Intelligence Community's Vulnerability Equities Process. It was also used in last month's WannaCry outbreak.

The current Petya infestation spreads as rapidly and indiscriminately as WannaCry did, but it's regarded as better crafted code. It doesn't exhibit WannaCry's botched Bitcoin wallets, and its attack on master boot records renders it more dangerous.

WannaCry has been widely associated with North Korea's Lazarus Group, but speculation about this instance of Petya focuses on Russia. Ukraine, the original and principal victim, thinks the ransomware is Russia's work. And like WannaCry, the return on the hackers' investment has been trivial in comparison with the scope of the attack: less than $10,000, according to recent reports.

Early reports said this time Petya spread by phishing with malicious Word files, but that seems incorrect. Tanium says the initial vector was a Ukrainian software update.

Initial analyses suggested that the latest wave of attacks involved malware based on Petya, a type of ransomware that first surfaced last year. Further investigations have disputed this analysis. In lieu of a better name, some cyber-security firms, such as Kaspersky, have begun referring to the latest malware as "NotPetya." Jeremiah Grossman, chief security strategist at the cyber-security firm SentinelOne, told Fortune there isn't enough evidence yet to uncover the malware's provenance. "This outbreak has similar characteristics as Petya, such as infecting the MBR [Master Boot Record, an important component of Microsoft computer hard drives] and encrypting the entire drive, however, it is not clear yet that this is a Petya variant," he said.

How did this happen?
Companies that failed to patch their systems against the Microsoft vulnerability were open to this attack. It's still not clear what the initial attack vector was. But once inside, the worm could spread across computer networks via the hole in Microsoft SMB-1.
It seems that many of the organisations affected by the malware operated industrial systems. These machines can be hard to patch because they run critical processes are difficult to take offline. 
"Organisations like these typically have a hard time patching all of their machines because so many systems simply cannot have down time," said Chris Wysopal, cofounder and chief tech officer of Veracode, an application security firm purchased by CA Technologies earlier this year.

What can businesses do to protect themselves?
There are a few simple steps businesses can take, as the cyber-security firm Palo Alto Networks explains on its "threat brief" blog.  First, apply Microsoft patch MS17-010. 
Second, block connections to Microsoft Windows' port 445, the part of the operating system associated with the vulnerable protocol.  And finally, maintain regular data backups, and use them to restore systems.

Should you pay the ransom?
This is a continual source of debate in the information security community. The general belief is, no, you should not pay the ransom. For one, there's no guarantee extortionists will return your files. Second, funding cybercriminals will encourage them to develop similar attacks in the future.

Still, sometimes companies take a gamble and pay up in the hopes that the criminals will restore access to their files and information. In this case, it appears as though customers will not be able to reclaim their data even if they do pay up. 
Posteo, the email service chosen by the attackers, said it blocked the account they created, meaning the extortionists have lost their channel to communicate with victims and hand over decryption keys. Despite this, the attackers' Bitcoin wallet had already received 28 transactions equaling 3 Bitcoins, or more than $7,000, as of 3 P.M. ET last Tuesday.

Fortune:      The Cyber Wire:

You Might Also Read:

Petya Cyber Attack Update:

Petya Cyber Attack Hits EU & US:

Targeted Ransomware Attacks Are Focusing On Business:

 

 

 

 

« VR Systems Will Change US Navy Training
Cyberwar: A New Front For US Military »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Infineon Technologies

Infineon Technologies

Infineon is a leader in semiconductor solutions for a huge range of applications including automation, smart systems and security for the Internet of Things.

QASymphony

QASymphony

QASymphony software testing and QA tools help companies create better software by improving speed, efficiency and collaboration during the testing lifecycle.

AirCUVE

AirCUVE

AirCUVE provide authentication and access control solutions for networks and mobile security.

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

Centre for Cyber Security (CFCS) - Denmark

Centre for Cyber Security (CFCS) - Denmark

The Centre for Cyber Security is the Danish national IT security authority, Network Security Service and Centre for Excellence within cyber security.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

ArcusTeam

ArcusTeam

ArcusTeam is at the forefront of the firmware and applications security industry, with a mission to increase the level of security on all IoT devices and applications.

Portuguese Institute for Accreditation (IPAC)

Portuguese Institute for Accreditation (IPAC)

IPAC is the national accreditation body for Portugal. The directory of members provides details of organisations offering certification services for ISO 27001.

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

KeyXentic

KeyXentic

KeyXentic Inc. is a professional mobile and data security service provider. We are devoted to design convenient and strong security for user’s data protection and privacy without any compromise.

Bessemer Venture Partners (BVP)

Bessemer Venture Partners (BVP)

Bessemer Venture Partners was born from innovations that literally forged modern building and manufacturing. Today, our team of investors works with people who want to create revolutions of their own.

Cybil

Cybil

Cybil is a publicly-available portal where members of the international cyber capacity building community can find and share information to support the design and delivery of programs and projects.

SecureThings

SecureThings

SecureThings focus is to provide guidance and technology to secure connected vehicles in order to build end-to-end security for the automotive industry.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

DynTek

DynTek

DynTek delivers exceptional, cost-effective professional IT consulting services, end-to-end IT solutions and managed IT services.

Amiosec

Amiosec

Amiosec is a British cyber innovation business specialising in delivering simple-to-use solutions to the complex problems of the modern world.