Following the WannaCry outbreak last month, a new ransomware attack has surfaced and is spreading across the world at an alarming rate.
Originating from Ukraine, the cyberattack is currently impacting a wide range of industries and organizations, including critical infrastructure such as energy, banking and transportation systems. Reported victims so far include Ukrainian infrastructure like power companies, airports, public transit, and the central bank, as well as Danish shipping company Maersk, pharmaceutical company Merck, Russian oil company Rosnoft, and institutions in India, Spain, France, United Kingdom and more.
“This new outbreak once again highlights the disruptive power of ransomware like never before,” said Steven Malone, director of security product management at Mimecast. “By encrypting and blocking access to files, critical national services and valuable business data can be damaged.”
According to Acronis, the ransomware first reboots the computer and then encrypts the hard drive’s file table (MFT), which renders the Master Boot Records (MBR) inoperable. From this point on, it restricts access to the system by seizing the information of file names, sizes and locations on the physical disk. Finally, it replaces the computer’s MBR with its own code, which displays the ransom note once the system is powered up.
Petya vs Wannacry ?
The malware is believed to be a version of Petya which security researchers are calling “NotPetya”. Although it is similar to Petya, it is different enough to qualify as a new strain of the Petya ransomware, also known as GoldenEye.
According to Symantec, Petya is similar to WannaCry in two aspects. Firstly, it is a ransomware attack that locks up files and secondly, it uses the ETERNALBLUE (MS17-010) Windows vulnerability as an infection vector to spread inside networks.
In terms of differences, Petya differs by going beyond just locking up files – it renders the victims’ whole system inoperable. Furthermore, Petya includes other infection methods. Aside from emails, it can also spread through networks via other mechanisms like PSExec, which allows users to execute processes on other systems without having to manually install a client software, and Windows Management Instrumentation (WMI).
Cisco reports that this ransomware does not seem to incorporate the errors that hindered WannaCry from spreading. Specifically, this attack does not appear to have a kill switch function. It is also harder to detect since it moves within a network, unlike WannaCry’s method of scanning throughout the internet.
How was it introduced and propagated?
Cisco’s security research organization Talos’ initial analysis points to the attack starting in Ukraine, possibly from software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc themselves. MeDoc is tax software widely used by many organizations in or doing business with Ukraine.
Once the ransomware enters a system, it uses three methods to spread automatically around the network, one of which is the known Eternal Blue vulnerability, similar to how WannaCry’s attack unfolded.
“Because data is the new oil in the digital economy, ransomware attacks that restrict access to important data until the attacker is paid are becoming increasingly common,” says Jason Hart, Gemalto’s Chief Technology Officer for data protection solutions.
Security strategies
Security specialists have shared some tips on how you can protect yourself and your organization:
Keep your software up-to-date
The attack searches for and exploits a vulnerability in Microsoft Windows operating systems. Computers that do not have the latest Windows security updates applied are at risk of infection. Ensure that your systems have the latest patches, including the one in Microsoft MS17-010 bulletin.
Use security software
Employ a security solution to do the monitoring and protecting for you. Run anti-malware software on your system and ensure that you regularly receive malware signature updates. An effective patch management solution can deploy security updates to endpoints and other critical parts of your infrastructure in a timely manner.
Don’t execute unknown email attachments
Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments and be especially wary of a Microsoft Office email attachment that advises you to enable macros to view its content. Do not execute attachments from unknown sources. Unless you are absolutely sure that it is a genuine email from a trusted source, do not enable macros. Instead, delete the email immediately.
Back-up your files
Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. Keep that backup offline so that it remains inaccessible to attackers.
Don’t pay the ransom
You may not get your files back even if you pay the ransom. Additionally, attackers might target you for future attacks knowing that you would pay. Digital Shadows is warning affected businesses not to pay the $300 bitcoin fee as Posteo administrators have disconnected the email address associated with ransomware payment. This means that the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to, and hence will not release the keys for the encrypted files.