Complex Made Simple

Petya ransomware attack: What not to do

A new ransomware named Petya hit high-profile targets in multiple countries, including the United States, on Tuesday (June 27).

The virus has been spreading around the world, mainly infecting businesses and government agencies and departments in the Ukraine and Russia, but there have been increasing reports of businesses in other countries also being compromised, with reports filtering in from the US, UK, Germany, Switzerland and Holland.

The attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian Cyber Police. This explains why so many Ukrainian organizations were affected, including government, banks, state power utilities and Kiev’s airport and metro system.

It’s the second major global ransomware attack in the last two months. The WannaCry cyber attack in May affected more than 230,000 computers in over 150 countries, with the UK’s National Health Service, Spanish phone company Telefónica and German state railways among those hardest hit.

How does the Petya ransomware work?

The malware itself appears to be a straightforward ransomware program. Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The program then instructs the user to pay the $300 ransom to a static Bitcoin address, then email the bitcoin wallet and personal ID to the email address, which is now blocked.

While Petya has not infiltrated as many machines as ransomware WannaCry did in May, experts say it is more dangerous and has the power to create more damage.

Becky Pinkard, Vice President – Service Delivery and Intelligence Operations at the UK-based computer security service Digital Shadows told AMEinfo: “Businesses impacted by the latest ransomware attack Petya must not pay the $300 bitcoin fee as Posteo administrators have disconnected the email address associated with paying the ransomware to get unlock keys for impacted systems. It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so.

“There is some confusion over the origins and nature of Petya, with some reports suggesting there are similarities to WannaCry and that it utilises the #ETERNALBLUE SMBv1 worm functionality. More work is needed to investigate the way the virus propagates; in the meantime businesses are urged to ensure their software is up-to-date and all files backed up.”

How far has it spread?

The new cyber attack has caused serious disruption at large firms in Europe and the US, including the advertising firm WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.

The food company Mondelez, legal firm DLA Piper, Danish shipping and transport firm AP Moller-Maersk and Heritage Valley Health System, which runs hospitals and care facilities in Pittsburgh, also said their systems had been hit by the malware.

Attack not financially successful

Many commentators think WannaCry came from hackers in Russia, perhaps as an experiment that escaped early. Therefore it’s not too surprising that Ukraine’s critical national infrastructure has been crippled today while other firms in Europe may have been hit in the crossfire.

Steven Malone, Director of Security Product Management at Mimecast, an international company specialising in cloud-based email management for Microsoft Exchange and Microsoft Office 365, commented: “The rapid pace of this new Petya ransomware attack points at another worm that can spread from computer to computer by itself.”

As with the early stages of the Wannacry outbreak, the bitcoin wallet associated with this ransomware is not seeing high volumes of payments.  Six people globally have currently paid the ransom, suggesting this won’t be a financially-successful attack.

Malone said: “A cyber resilience strategy that acknowledges that attacks are likely to continue and will sometimes be successful is required. Defence-in-depth security and continuity plans are needed to keep critical services running every time they are attacked.”

How can you stop it?

Malone advises organisations never to succumb to the pressure to pay the ransom to regain access to their applications and data. There is no guarantee this will unlock files and further motivates and finances attackers to expand their ransomware campaigns.

He added: “This new outbreak once again highlights the disruptive power of ransomware like never before. Simply by encrypting and blocking access to files, critical national services and valuable business data can be damaged.”

Email has traditionally been the primary attack route for ransomware. Attackers often send Microsoft Office documents with malicious macros that download and install malware. This includes Word, Excel, PowerPoint and also PDFs. Clever social engineering will trick employees into enabling the macros and delivering the ransomware payload.

Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks and as this attack highlights, there are many ways for an infection to enter an organisation.

Malone said: “It’s vital you regularly backup critical data and ensure that ransomware cannot spread to backup files.  Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your back-up window is long enough to go back before any infection begins.”

Backup and recovery measures only work after an attack, and cost organisations in downtime and IT resources dealing with the attack and aftermath. Businesses must be able to continue to operate during the infection period and recover quickly once the infection has been removed.