Shane Chambers 3 Comments

Back in May, the world saw a global ransomware attack on a then-unprecedented scale – WannaCry. This cyber attack affected more than 230,000 computers in more than 150 countries, and is estimated to have cost businesses up to $4 billion. To say that businesses were caught off-guard is an understatement, with the malware utilising vulnerabilities in the long-obsolete Windows Server Message Block (SMB) v1 and through computers with out-of-date Windows security patches. It gets onto a network most often through human error – employees clicking phishing emails – then spreads like wildfire to other machines that are connected to the internet.

This week, however, reports came in from Ukraine and across Europe that a new mass-ransomware attack was underway. Initially theorised to have been a variant of WannaCry, cyber security experts now believe it to be a variant of Petya, a strain first seen in 2016 which was then predicted to be “the next step in ransomware evolution”.

Oops, your important files are encrypted. There is currently no known way to recover files affected by Petya.

Ukraine, Russia and the surrounding regions are currently the countries that have been hit hardest by this new Petya strain, with major corporations such as shipping giant Maersk, legal firm DLA Piper and advertiser WPP being hit. Despite this initial focus on Eastern Europe, Petya has been found to have affected computers in more than 65 countries, including the US, UK and Ireland. More than 12,0000 machines have been held to ransom, and currently have no means to retrieve their files.

Unlike the WannaCry ransomware, where each individual had a unique Bitcoin wallet to transfer their ransom to, Petya requests all payments be made to a single account, with an email address that they must then submit their details to. The email address listed was hosted by German provider Posteo, who shut down the email account upon its discovery. This is normal procedure for email providers, as it is clear abuse and violation of their terms-of-service, but unfortunately leaves victims with no alternative means to contact the criminals or retrieve files lost by ransomware.

The fact that the sole payment method for Petya was so easily shut down has prompted experts to believe that this attack may not have been intended to make money at all, but instead cause disruption to key businesses. Security researcher Nicholas Weaver told cybersecurity blog Krebs on Security that Petya was a “deliberate, malicious, destructive attack or perhaps a test disguised as ransomware”. Another security researcher, known pseudonymously as Grugq, noted that while the original Petya “was a criminal enterprise for making money”, this new variant “is definitely not designed to make money”.

In fact, this Petya attack has been so destructive that Stu Sjouwerman, CEO of leading security training firm KnowBe4, has described it as “cyber warfare”, stating that cyber security  and IT professionals have found themselves “on the front line of 21st century cyber war”. He also went on to say that “Cyber security has moved from Tech to a CEO and Board-level business issue”.

So how is this new variant different to the original Petya? Experts have now taken to calling the attack “NotPetya” and other tongue-in-cheek names such as “Petna”, due to the differences between the attacks. This variant is nasty. Like the original Petya, it encrypts a computer’s Master File Table (MFT) instead of encrypting all the files, rendering the PC unable to boot. However, it has some powers that experts believe make it deadlier than WannaCry. While WannaCry mainly utilised vulnerabilities in Windows SMB v1 to spread, Petya has additional tools for helping it move across networks at speed. According to cybersecurity researcher and former NSA analyst David Kennedy, the 2017 strain of Petya searches the infected computers for passwords so that it can spread to other systems. It does this by extracting passwords from memory, or from the local filesystem. In addition, it abuses PsExec on PCs that have administrator access on the network, to spread to any other machine that is connected. It uses Windows Management Instrumentation (WMI) to accomplish similar means of infecting other machines on the network. In fact, all these added features mean that Petya can actually infect even Windows PCs containing the latest security patch, as it only requires one vulnerable machine to enter a network.

“This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched,” according to ESET researcher Robert Lipovsky. “It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”

Companies are scrambling to bring their cyber security up to scratch in the wake of the second global cyber attack in 2 months.

So what can businesses do to protect against such a virulent strain of malicious ransomware? We recommend the following steps be taken for any organisation that needs to keep their data safe from a cyber attack:

  • Back up your important data and test your backups regularly. This means you’ll never have to pay a ransom, as you can always recover your files from a backup.
  • Next-generation Antivirus. Use software that syncs to the cloud for latest definitions and can block threats as fast as they appear.
  • Security Awareness Training and Testing. Teach your staff how to avoid the phishing emails that ransomware is most commonly sent through, and keep them on their toes.
  • Disable out-of-date protocols such as Windows SMB v1, and make sure admin access is only granted to users that strictly need it.
  • Keep your security patches up-to-date and review regularly. It only takes one vulnerable machine to infect a network.

WannaCry and Petya have both taken the business world by storm, and cyber crime continues to cost billions globally. It is more crucial than ever to be vigilant online and to have the proper security measures in place. Downtime to a business can be critical and very expensive, so if in doubt, seek consultancy from an expert – the cost of having proper cyber security will be less than the cost of a cyber attack or subsequent data breach.