Cyber Security

Worldwide ransomware attack - money or destruction?

3rd July 2017
Anna Flockett

Many organisations this week in Europe and the US have been hit by the ransomware attack now known as ‘Petya’.  The spiteful software has spread through large firms and PCs with data being locked up and help for a ransom. Kaspersky Labs has reported that as many as 60% of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. 

The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.

The main aim of the attack was to make money, and it is not the first attack we have seen this year. Back in May, the UK’s NHS was among one of the big organisations infected by WannaCry, which affected more than 230,000 computers in over 150 countries.

Ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. Usually if victims don’t have a recent back-up of the files they will lose all their files unless they pay the ransom.

In terms of the ‘Petya’ ransomware, the virus has taken over computers and demanded for $300 paid in Bitcoin. Spreading rapidly the malicious software uses the EternalBlue vulnerability in Microsoft Windows to travel across an organisation once one computer is infected. Microsoft has released a patch, but not everyone will have installed it.

The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry,” said Ryan Kalember, of cyber security company Proofpoint.

Chris Wysopal, co-founder and CTO at Veracode expressed his thoughts on the situation:

“The ransomware is definitely spreading via EternalBlue exploit just like WannaCry. People have found the code in the malware and have seen the EternalBlue exploit traffic on the network. There are additional spreading vectors that use harvested credentials from machines compromised with EternalBlue. These are used to connect to and run the malware on fully patched machines.

“The easiest and best way to prevent the EternalBlue exploit from working is to run Windows Update.  Because WannaCry kill switch worked, the pain stopped, and many orgs did not complete patching their Windows. This shows the day to day fire drill that many IT teams work under and the reality that patching in many organisations is hard. Once they heard that WannaCry was stopped they moved on to other more pressing work.

“This attack seems to be hitting large industrial companies like Maersk shipping company and Rosneft oil company. These organisations typically have a challenge patching all of their machines because so many systems cannot afford to have any down time. Airports and hospitals also have this challenge.

“This attack has similar characteristics of Petya, but I believe Kaspersky is right that it is not in fact Petya and is completely new. Upon initial submission of this ransomware to VirusTotal only two anti-virus vendors were able to detect it-- and so it is likely that many systems are defenceless.  This shows how easy it is for malware writers to bypass endpoint security by modifying any code they are reusing.  

“After many organisations updated their products to detect WannaCry, many organisations may have had a false sense of security, thinking that those updates would prevent all related attacks in the future-- this is obviously an assumption that businesses cannot afford to make.

“There are reports that there is an additional spreading mechanism that uses the stolen credentials from compromised machines to spread to even patched machines.  If this is true it will mean that organisations with just a few unmatched machines could still have a massive ransomware issue across their whole windows infrastructure."

Featured products

Product Spotlight

Upcoming Events

View all events
Latest global electronics news
© Copyright 2023 Electronic Specifier