Mere weeks after the WannaCry ransomware outbreak, a new fast-spreading ransomware attack using the same exploits is causing fresh damage in Australia, Europe and the US.
The Petya ransomware attack has reportedly affected local arms of international companies including law firm DLA Piper and Cadbury’s brand owner Mondelez.
Internationally the attack has reportedly hit more than 2000 targets, including Ukraine’s government, National Bank and biggest power companies, pharmaceutical giant Merck and Danish transport and energy company Maersk.
“This malware appears to have been targeted to Ukraine infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports and aircraft manufacturers,” Ivanti CISO Phil Richards said.
“Since the initial infection it has spread to other markets, and beyond the Ukraine boarders.”
Petya is a variant of the Petya ransomware that started circling in 2016. The latest variant is also being called NotPetya, GoldenEye and Petwrap.
Multiple security companies have confirmed that the ransomware uses the same EternalBlue exploit as last month’s WannaCry attack. The EternalBlue exploit was discovered by the US NSA and leaked by the hacking team known as the Shadow Brokers in April.
It exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol that had been patched in a security update issued two months earlier, and was addressed in the patches Microsoft pushed out for discontinued versions of Windows in the wake of the attack.
LogRhythm Vice President and Managing Director for International Markets Ross Brewer said the fact that the attack exploited a known and addressed vulnerability demonstrates the lack of accountability and focus on basic IT and security fundamentals within the industry.
“Core IT operational competencies, such as patch management, backups, disaster recovery and incident response are not well implemented or maintained. These are absolutely essential in protecting your company from damaging cyber threats and without them you are left in a perpetually vulnerable state, a sitting duck for these types of attacks, merely hoping that you aren’t compromised,” he said.
The ransomware’s creators have meanwhile attempted to compensate for the fact that the WannaCry outbreak prompted many to install the newest Windows patches. McAfee notes that the malware also attempts to copy itself to a remote machine’s ADMIN$ folder and to start a malicious executable using a remote call. It also attempts to use the Windows Management Instrumentation Command-line (WMIC) to execute the ransomware directly on the remote machine.
In a blog post, Symantec’s security response team said Petya differs from typical ransomware in that it doesn’t simply encrypt files, it also overwrites and encrypts the master boot record. A ransom note is then displayed demanding US$300 ($394) in bitcoins.
The note also demands that victims send their bitcoin wallet IDs and personal installation keys to an email address. This address has now been shut down by email host Posteo, leaving no way to verify payment.
Unlike some other Ransomware variants, Petya uses AES-128 encryption to generate a single key to encrypt the files upon initialisation of the ransomware. A notable difference between Petya and WannaCry is that Petya seems to be engineered to attack targets more selectively.
“Based on initial analysis by CyberArk Labs, what we know now is that [Petya] is different from WannaCry in that it appears to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks,” CyberArk Labs Senior Director of Cyber Research Kobi Ben Naim said.
“Like WannaCry, any individual and organisation with an unpatched Microsoft system remains vulnerable to the worm. However, the organisation would only be protected from the attack method. Our research shows that [Petya] requires administrative rights to execute. So if a user clicks on a phishing link, the ransomware will still infect the network.”
Malwarebytes Regional Director Jim Cook said the attack has the potential to do significant damage to unpatched systems and urged companies to apply the Microsoft EternalBlue security update immediately.
“If you are running unpatched systems with Admin privileges this malware has the ability to spread inside your network using the in-built PSExec utility, which our research team say makes its ability to damage businesses significant,” he said.
“If shadow brokers keeps its promise to continue releasing NSA exploits it seems that this sort of mass infection will become common — so now is the time to ensure you have a decent backup system, patch process and a current endpoint security solution in place.”
Tenable Network Security Technical Director Gavin Millard agreed. “The publicity around WannaCry couldn’t have been larger, probably eclipsing Heartbleed, yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously,” he said.
The Australian government is monitoring the situation closely with its Five Eyes partners, according to Minister Assisting the Prime Minister for Cyber Security Dan Tehan. He said the attack should serve as a wake-up call for small businesses to regularly back up their data and install the latest security patches.
The Australian Cyber Security Centre is meanwhile urging Australian victims not to pay the ransom, because with the contact email address disabled files are highly unlikely to be recovered this way. Large companies have also been asked to report attacks to the ACSC, and small businesses can contact the Australian Cybercrime Online Reporting Network (ACORN).
Image credit: ©stock.adobe.com/au/monsitj