Petya Cyber Attack Update

Uploaded on 2017-06-30 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Victims of a major ransomware cyberattack that has spread through the US and Europe can no longer unlock their computers even if they pay the ransom.

The “Petya” ransomware has caused serious disruption at large firms including the advertising giant WPP, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft.

Infected computers display a message demanding a Bitcoin ransom worth $300. Those who pay are asked to send confirmation of payment to an email address. However, that email address has been shut down by the email provider. 
The attack was first reported in Ukraine, where the government, banks, state power utility and Kiev’s airport and metro system were all affected. The radiation monitoring system at Chernobyl was taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone.

The food giant Mondelez, legal firm DLA Piper, Danish shipping and transport giant AP Moller-Maersk and Heritage Valley Health System, which runs hospitals and care facilities in Pittsburgh, also said their systems had been hit by the malware.
Some technology experts said the attack appeared consistent with an “updated variant” of a virus known as Petya or Petrwrap, a ransomware that locks computer files and forces users to pay a designated sum to regain access. 
But analysts at cyber security firm Kaspersky Labs said they had traced the infections to “a new ransomware that has not been seen before”. The “NotPetya” attack had hit 2,000 users in Russia, Ukraine, Poland, France, Italy, the UK, Germany and the US, Kaspersky said.

Last month’s WannaCry or WannaCrypt ransomware attack affected more than 230,000 computers in over 150 countries, with the UK’s national health service, Spanish phone giant Telefónica and German state railways among those hardest hit.
Symantec cyber security experts said they had confirmed the ransomware in the current attack was using the same exploit – a program that takes advantage of a software vulnerability - as WannaCry.

The exploit, called EternalBlue, was leaked by the Shadow Brokers hacker group in April and is thought to have been developed by the US National Security Agency.

To spread within companies that installed the patch to protect themselves against WannaCry, the Petya ransomware appears to have two other ways of spreading rapidly within an organisation, by targeting the network’s administrator tools. 
It’s not yet clear how computers became infected with the ransomware in the first place, but it doesn’t seem to be through email as happened with WannaCry, said Kalember.

Pictures circulating on social media recently on screens purportedly affected by the attack showed a message stating, “Your files are no longer accessible because they have been encrypted,” and demanding a $300 ransom in the Bitcoin digital currency.

The growing fight against cyber-attacks has seen protection spending surge around the world, with the global cyber security market estimated to be worth some £94bn ($120bn) this year, more than 30 times its size just over a decade ago.
This new attack identified as a variant of Petya (or more accurately, NotPetya) has continued to leverage these and other weaknesses to wreak havoc on computer systems worldwide. The infection has now spread to 60 countries and continues to actively search for more victims.
 
Very much like WannaCry, Petya encrypts the victim’s hard drive and ostensibly demands a ransom of US$300 to be paid in the virtual currency bitcoin. 

However, Petya is proving to be more sophisticated than WannaCry in terms of scope, ability to be neutralised, and apparently, the motivation behind its launch. Notably, this attack spread rapidly within organisations in part by using common IT administrator tools, which are not recognized as malware by traditional security defenses. It may have also leveraged an intrusion at a third-party software vendor. Techniques like these, historically seen in targeted intrusions, are now moving into the mainstream. 
 
Additionally, not only is there is no effective “kill switch” for Petya, the potential to recover data by paying the ransom has been compromised as well. The low dollar amount of the initial ransom combined with the cyber criminal’s current inability to be contacted has fueled speculation over the actual purpose of the attack. Regardless of whether Petya was launched for financial gain, or for political reasons as yet obscure, the end result is that unless an independent “cure” can be found, encrypted data can only be retrieved from a backup copy.
 
Security experts at Kroll suggest the following actions:

  •  Obsolete versions of Microsoft Windows continue to be particularly vulnerable. As we have seen with Petya, lightning can strike twice … or even three or four times. Don’t tempt fate. Unless you have a very specific reason for not doing so, take immediate steps today to move to updated and supported operating systems. If you cannot eliminate outdated, unpatched systems, consider segmenting your network to reduce the attack surface.
  •  Technically, an interesting development is that Petya propagated within organizations using two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec. While the use of these and other “non-malicious” tools by intruders to quietly move within networks is not new, their use in such a widespread and automated attack is novel. This knowledge underscores the value of implementing modern threat detection and response solutions, and leveraging trained staff or trusted external partners to more rapidly identify and contain this type of attack.
  • Organisations should recognise the very real risk posed by third parties, such as vendors, service providers, etc. At a minimum, review all your vendor risk management processes and institute controls that mitigate potential vulnerabilities. 
  • We cannot emphasise enough the need for backup and recovery plans that are designed with your specific business continuity needs in mind. Ensure that critical data and programs are backed up in a way that will enable recovery in the face of many types of cyber-attacks. 
  •  Finally, consider acquiring cyber insurance policies to mitigate potential losses.

Please Contact Cyber Security Intelligence for more information and a recommended Cyber Insurance Policy for your organisation.

Guardian:

You Might Also Read:

Petya Cyber Attack Hits EU & US:

Petya: The Latest  Global Ransomware Incident:

 

« How A Nation Became Russia's Cyberwar Experiment
Urgent: Investment In NHS Cybersecurity »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

SCADAhacker

SCADAhacker

SCADAhacker provides mission critical information relating to industrial security of SCADA, DCS and other Industrial Control Systems.

SSLGURU

SSLGURU

SSLGURU bring all of the major SSL certificate vendors to one market place in order to create the world's largest SSL store with the most competitive prices.

Logicalis

Logicalis

Logicalis are a leading provider of global IT solutions and managed services.

Securi-Tay

Securi-Tay

Securi-Tay is an information Security conference held by the Ethical Hacking Society at Abertay University, Dundee.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

Perseus Cyber Security

Perseus Cyber Security

Perseus provides all-around digital protection for small and medium-sized businesses through state-of-the-art software solutions, flexible online training and emergency response.

Ashley Page

Ashley Page

Ashley Page offer a unique cyber insurance and risk management solution - Cyber+Insure.

Anitian

Anitian

The Anitian Compliance Automation platform builds, configures, and monitors cloud environments to accelerate compliance for standards such as FedRAMP, PCI, ISO/GDPR and CJIS.

Sectra Communications

Sectra Communications

Sectra successfully develops and sells cutting-edge solutions in the expanding niche segments of medical IT and cybersecurity.

oneclick

oneclick

oneclick is a central access and distribution platform in the cloud, enabling the management of the entire technology stack for application provisioning.

3Lines Venture Capital

3Lines Venture Capital

3Lines Venture Capital invests in exceptional founders and startups working on broad disruptive themes of Future of Work, AI enabled enterprises, and Industry 4.0.

Appsian Security

Appsian Security

Appsian provides powerful solutions that help organizations take control of their business critical data and financial transactions.

Timus Networks

Timus Networks

Timus Networks enables today's work from anywhere organizations to secure their networks very easily and cost effectively.

One82

One82

Serving emerging small and medium-sized businesses in California and neighboring regions for over 20 years, One82 has established itself as the most dependable provider of IT support services.

Siren

Siren

Siren provides the leading Investigative Intelligence Platform to some of the world’s leading Law Enforcement, National Security and Cyber threat investigators.

HTX (Home Team Science & Technology Agency)

HTX (Home Team Science & Technology Agency)

HTX brings together science and engineering capabilities to transform the homeland security landscape and keep Singapore safe.