While 2016 was marked by extraordinary attacks, including multi-million dollar virtual bank heists, 2017 is no less. Just a month after WannaCry locked up thousands of computers, a new wave of ransomware attacks are targeting users across the world, including India and Europe. It’s the second major global ransomware attack in the last two months. Consumer, shipping, aviation and oil & gas companies were hit on Tuesday in the UK, Russia, France, Spain and elsewhere.
Petwrap, believed to be an advanced version of an old ransomware known as Petya, locked the computer screens of as many as 20 companies globally with $300 being demanded to be paid in Bitcoin to free them up.
Advertsising company WPP, food company Mondelez, legal firm DLA Piper, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft Maersk and Danish shipping and transport firm Maersk are some of the companies targeted by the ransomware on Tuesday, causing serious disruptions according to people aware of the matter. Indian subsidiaries of UK and Russia-based oil and gas, energy and aviation companies were also hit.
Like WannaCry ransomware attack that affected more than 2, 30,000 computers in over 150 countries, with the UK’s National Health Service, Spanish phone company Telefonica and German state railways among those hardest hit, Petya spreads rapidly through networks that use Microsoft Windows. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one.
According to the Ukrainian Cyber Police, the attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use. The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine.
According to a Symantec study, there has been a 36% increase in ransomware attacks in 2016, with 3x as many as new ransomware families coming to the block. It has also been observed that attackers target those countries that can pay the highest ransom.
How does the industry reacts...
Sophos in its statement said that Petya (or Petrwrap/Petyawrap) was first discovered in 2016 – it is ransomware that encrypts MFT (Master File Tree) tables and overwrites the MBR (Master Boot Record), dropping a ransom note and leaving victims unable to boot their computer. “This new variant is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected.”
Kobi Ben Naim, Senior Director of Cyber Research, CyberArk Labs, remarks, “ Based on initial analysis by CyberArk Labs, what we know now is that Petya is different from WannaCry in that it appears to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks. Like WannaCry, any individual and organization with an unpatched Microsoft system remains vulnerable to the worm. However, the organization would only be protected from the attack method. Our research shows that Petya requires administrative rights to execute. So, if a user clicks on a phishing link, the ransomware will still infect the network. The new malware is considered especially dangerous because it encrypts the Master Boot Record (MBR), instead of documents and applications, and prevents a user from rebooting. In addition to patching, organizations need to be focused on protecting privileged credentials at the endpoint to avoid them being utilized to execute this attack.”
Matt Moynahan, CEO of Forcepoint said that the Petya variant ultimately reboots the machine, presenting a faked ‘check disk’ screen, and showing the ransom message. The reboot and subsequent messages are typical of previously observed Petya behaviour. “Forcepoint identified that the ransomware spread laterally within an organization via a vulnerability in the Microsoft SMBv1 protocol, very similar to what we saw with WannaCry. If we do not invest in the cybersecurity of our critical infrastructure we will continue to see massive attacks with economic, employee and public safety ramifications. From the government to the boardroom, leaders need to make cyber resiliency a requirement, putting focus and funding behind it. While the perception may be that if we criminalize cyberattacks we will inhibit innovation, the reality is that if we do not treat cyber crime more seriously, attacks like WannaCry and Petya will start to feel even more commonplace than they already do,” he said.
Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto opines, “Because data is the new oil in the digital economy, ransomware attacks that restrict access to important data until the attacker is paid are becoming increasingly common. However, neither businesses nor individuals should pay ransoms to unlock any files that have been affected by a ransomware attack, as this incentivises and rewards these kinds of attacks. In order to prevent becoming a victim of a ransomware attack, data should be backed-up and encrypted, and stored away from the network the rest of the data is stored on. This means that, in the event that a ransomware attack locks someone out of their files, they will have secure copies available. By doing this, the victim would be able to return to business-as-usual quickly and efficiently.”
Kaspersky Lab experts on the other hand aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can. It also advises all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.
Aamir Lakhani, Senior Security Strategist at Fortinet points out that Petya uses the same attack vector as Wannacry, exploiting the identical Microsoft vulnerabilities that were uncovered by the Shadow Brokers earlier this year. “However, because additional attack vectors were used in this exploit, patching alone would have been inadequate to completely stop this exploit, which means that patching needs to be combined with good security tools and practices.”
“There are a couple of really interesting aspects to this attack,” Aamir says. “The first is that, in spite of the highly publicized disclosure of the Microsoft vulnerabilities and patches, and the world-wide nature of the follow-up Wannacry attack, there are apparently still thousands of organizations, including those managing critical infrastructure that have failed to patch their devices. The second is that this may simply be a test for delivering future attacks targeted at newly disclosed vulnerabilities.
From a financial perspective, Wannacry was not very successful, as it generated very little revenue for its developers. This was due, in part, because researchers were able to find a kill switch that disabled the attack. Petya’s payload, however, is much more sophisticated, though it remains to be seen if it will be more financially successful than its predecessor.”
Sharing her views, Sharda Tickoo, Technical Head, Trend Micro India says, “In India, so far we have no cases of Petya that have been reported to us. The countries most affected are Europe, typically Ukraine and Russia. We would recommend the companies to maintain an important hygiene of regularly taking back-up of necessary data and proactively monitor the systems for any suspicious activity. And most importantly, because it is a ransomware, we have to secure the email gateway first. There are also certain URL categorizations employed in work environment which can block access to malicious codes. Ensure that all the workstations have least privilege unless any workstation actually requires administrator privilege, as the ransomware spreads and tries to escalate the privileges. As it uses certain administrative tools like power shell, ensure that these utilities are restricted to administrators.”
After the attacks, the IT Advisory/Risk Advisory team at BDO India released an advisory alert. It says that there has been a lot of attention around the world due to the second major global ransomware attack. The malware called, "Petya" or which security researchers are calling "NotPetya”, differs from typical ransomware as it doesn’t just encrypt files, but it also overwrites and encrypts the master boot record (MBR)1. The attack appears to have been initially seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian Cyber Police. Like WannaCry, NotPetya is spreading rapidly through networks that use Microsoft Windows and has already affected large number of companies, organizations and government entities on an international scale. As of today, 36 payments have already been made falling prey to this attack.
Steve McGregory, Senior Director of Application Threat Intelligence – Ixia says, “From what we have seen we don’t believe this is nation-state related. It’s important to note that since the Shadow Brokers’ NSA leaks of these nation-state level cyber weapons, the use of WannaCry and today’s ransomware campaign are the equivalent of sophomore college students getting their Masters’ degrees in a matter of weeks. In this case, we are seeing a number of different malware variants being used in these attacks - including WannaCry, and a modified version of DoublePulsar that attempts to gain kernel level access on a system. Based on our honey pots in the wild, it seems that the malware is not moving - it may have been planted in advance by the attackers, and then activated for the attack.”
Sivarama Krishnan, Partner & Leader, Cyber Security - PwC India observes that there are three propagation attack vectors which has been observed that the current variants of the ransomware is using -
· Eternal blue - exploiting the MS17-010 vulnerability - the same vulnerability being exploited by WannaCry. Solution: patch the systems with MS17-010
· Admin$ - the malware can try to exploit the service account Admin$ and trust relationships. Solution: preferably disable Admin$ using GPO
· WMI - bruteforce WMI. Solution: there is no solution other than having strong password policy.
“The worm spreads only within the subnet of initially infected host. Infection from internet systems may be limited (however this is yet to be confirmed for all variants). The system goes for a shutdown before being encrypted. In case in system has shut down automatically without user intervention - do not restart it. Isolate it and involve IR teams for disk imaging/analysis as necessary,” says Sivarama.
“The second ransomware attack less than a month from Wannacry, has brought to light how the speed of attacks has changed dramatically,” says Kartik Shahani, Integrated Security Leader, IBM India/South Asia. “Petya shows the attackers have learned from WannaCry, and have updated it be more powerful. The ransomware is distributed using the same exploit that powered the spread of WannaCry. What makes Petya different is that unlike WannaCry, the ransomware can also infect patched systems on connected networks using Windows Management Instrumentation Command-line (WMIC) and PsExec, a remote command tool from Microsoft. Petya is also being deployed in combination with Mischa, a fall back which corrupts and encrypts individual files. Companies need to ensure that all systems with network access in the organization are patched for the Microsoft vulnerabilities. If infected, the first step is to disconnect the devices from the network and shut them down immediately to lessen the damage. While many companies may be tempted to pay ransom to get their systems back online, there are no guarantees that people who did pay the ransom will receive their files back.”
Ram Punamaraju, CEO - Yitsol Technologies agrees, "The latest cyber-attack and its impact across the world has once again underscored the importance of cyber security. The extent to which this attack has impacted the business operations in India as well as the rest of the world shows that in the times to come it will become a major business risk and corporate sector needs to take cyber security very seriously. Investments on research to ward off such attacks is the need of the hour. Governments across the world and the corporate sector should collaborate globally to prevent and take action against the perpetrators of such attacks."
“India is responding positively with no major impact on our businesses. During the last attack, the government activated the ‘preparedness and response mechanism’, which turns to India learning two important lessons from this situation -
· To be always prepared: companies need to constantly stay up to date for plausible treats that could come their way
· To have the armour to face such threats: the IT space needs to have enough skilled labour to counter such acts efficiently. These lessons should be implemented effectively and maintained as a hygiene for all companies henceforth”, says Vishwajeet Singh, CIO and Vice President, Aptech Ltd India.
Rakesh Kumar Singh, Datacenter lead, Juniper Networks India contends, “Mainly corporates which are not in high-tech are more vulnerable as they have lots of legacy OS installations that were ignored as they were used for non-intensive purposes like data entry. We saw that lots of intellectual property data was locked out during the Wannacry event. Since Petya is not only exploiting the same ‘EternalBlue’ vulnerability but additional known vulnerability that was exposed from prior leaks, we are expecting a wider impact this time. We are also expecting that lots of home users would be affected too.
It is a wakeup alert for all SMBs who avoided moving away from out-of-support operating systems. The main learning is that critical data should not be residing on user desktops. Cloud based solutions which ensure that the relevant data is made available to the user on demand but the storage of data itself is always on the cloud where it is easier to put security and anti-malware defenses.”
Amit Jaju, Executive Director, Fraud Investigation & Dispute Services, EY India “The recent cyber-attack through the strain of Petra Ransomware – now called PetWrap has hit many global companies through a software update from an Eastern European company. We have seen that the ransomware could be lethal as it encrypts the master boot record and hard drive, making it quite impossible to recover individual files once the entire hard drive is encrypted. While the total encryption process may take over an hour to complete, even a ten minute window could be sufficient for the ransomware to make the entire hard drive unusable.
PetWrap is known to have exploited the same vulnerability in the SMB v1.0 as WannaCry 2.0 did for which the patch was already issued. For now, PetWrap appears to be much more sophisticated than WannaCry 2.0. As precautionary measures, users are advised to patch their computers, keep their endpoint security software and firewalls updated and not open attachments from any unknown sources. In case of any suspicious behaviour encountered, users should put the computer in sleep mode and disconnect the network access immediately to safeguard their data.”
Tags: Petya ransomware, Petya, ransomware, petya new ransomware, WannaCry, cyber world, WannaCry ransomware, Microsoft Windows, malicious software, Ukrainian Cyber Police, Petyawrap, Petrwrap, Kobi Ben Naim CyberArk Labs, Matt Moynahan Forcepoint, Rana Gupta gemalto, Kaspersky Lab
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
