A major ransomware cyber-attack has once again struck businesses across the globe. But it is not yet clear if any country in the Middle East region has been a victim of the latest cyber-attack.
On Tuesday, IT systems in many companies, including Russia’s biggest oil producer Rosneft, Danish shipping company Maersk, US pharmaceutical manufacturer Merck and Netherlands-based shipping company TNT, were disrupted and the firms were asked to pay a ransom in the digital Bitcoin currency.
Ukraine was the worst hit in the latest attack, as several vital organisations in the country, including its central bank, the capital Kiev’s main airport, metro services, the state power grid, aircraft manufacturer Antonov and the country’s postal services.
The Chernobyl nuclear power plant was also among the sites hit by the malicious virus. The staff at the plant had to monitor radiation levels manually as they were unable to access reports and metrics on their computers.
This attack comes barely two months after the massive WannaCry ransomware disruption infected more than 230,000 computer systems across the world.
The return of Petya?
Some experts believe that the new virus could be a variant of the Petya ransomware that came to light last year.
“The malware itself appears to be a straightforward ransomware program. Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The program then instructs the user to pay the $300 ransom to a static Bitcoin address, then email the bitcoin wallet and personal ID to the email address, which is now blocked,” said Becky Pinkard, Vice President, Service Delivery and Intelligence Operations, Digital Shadows.
“There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilizes the #ETERNALBLUE SMBv1 worm functionality. More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up,” Pinkard said.
Cyber security firm FireEye said that, based on their initial analysis, the ransomware used in this campaign mimics Petya in some ways and the master boot record (MBR) reboot page is identical.
“However, there are some notable changes to include the propagation mechanism and an hour’s delay to encrypting files, which may be intended to allow propagation to occur. We believe that one infection vector used in this campaign was the M.E.Doc software, which is reportedly used for tax accounting purposes in Ukraine,” said John Miller, Senior Manager, Analysis, FireEye.
However, Kaspersky Lab has said that it believed the malware was a “new ransomware that has not been seen before” although it has several strings similar to Petya.
To pay or not to pay?
Media reports have suggested that many firms paid huge ransom in following days of ransomware attacks in order to unlock their computers. South Korean web-hosting firm Nayana had agreed to pay $1 million after its computers were hacked by a virus named Erebus.
But experts advise that those affected should not pay the cyber criminals.
“Digital Shadows is warning businesses impacted by the latest ransomware attack Petya not to pay the $300 bitcoin fee as Posteo administrators have disconnected the email address associated with paying the ransomware to get unlock keys for impacted systems. It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so,” said Pinkard.
Is Middle East safe?
Even though no reports of attacks have emerged, security experts have always said the countries in the Middle East are highly vulnerable to cyber-attacks and have asked them to step up measures to avoid such instances.
In the GCC alone, cyber-attacks are costing the economy an estimated $1bn annually, according to the ICS Cyber Security Forum.
According to findings from a 2016 PwC survey, cybercrime is the second most reported crime faced by businesses in the Middle East, affecting 30 per cent of organisations. This is higher than world trends; 42 per cent of respondents in the region said they had suffered high or medium level damage to their reputation as a result of cyber-attacks, compared to 30 per cent globally.
American software company Symantec’s latest report revealed that Saudi Arabia was the most targeted country in the Middle East and Africa, followed by the UAE, for ransomware attacks. The kingdom ranked 20th in the Symantec – Internet Security Threat survey, while the UAE came at the 26th spot globally.
Furthermore, credentials of 20,000 GCC employees were compromised and leaked online last year.
Kaspersky Lab has asked companies to update their Windows software. Windows XP and Windows 7 users can protect themselves by installing the MS17-010 security patch.