Security Experts Say Impact Could Be Worse Than WannaCry
Several organizations in India, including the nation’s largest container port, Jawahar Lal Nehru Port Trust, or JNPT, were affected by the latest worldwide malware attack using an apparent Petya variant (see Teardown of ‘NotPetya’ Malware: Here’s What We Know).
“The shipping ministry has confirmed that one terminal at JNPT has been affected due to the attack at Maersk’s Hague office,” an official said. Copenhagen-based shipping giant Maersk reported it was affected globally by the supposed ransomware attack.
India’s Information Technology Minister Ravi Shankar Prasad says the government is taking steps to educate organizations about the risks. “We’ve sent out advisories. India is not much affected at this stage,” Prasad said.
The Goods and Services Tax Network, or GSTN, the IT backbone for tax reform set for a July 1 roll-out, said its systems were safe.
More Details to Come
Because Indian organizations are by nature reluctant to share details of attacks, cyber law expert Na. Vijayashankar says it’s far too early to assess the local impact.
Sumit Dhar, a senior security practitioner, notes: “I am sure there are more firms which have been impacted. It’s just that they haven’t come out in the open.”
Several companies in India on Wednesday reportedly asked their employees to delay their office logins. “They wanted to make sure that none of the systems were impacted. Since the ransomware has the capability to steal credentials from affected systems and spread, it’s better to be on the safer side,” a data scientist, who asked to remain anonymous, tells Information Security Media Group.
As of Wedneday night, there were no reports of major attacks in Singapore or Malaysia.
According to CERT-In, the variant of Petya ransomware is spreading quickly by leveraging the EternalBlue Exploit (MS17-010) targeting Windows SMB file sharing protocol. The malware encrypts the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom bootloader making the system unusable. The Data Security Council of India, or DSCI, has issued warnings and suggested ways to mitigate the risks.
Singapore Issues Alert
SingCERT, the cybersecurity agency in Singapore, on Wednesday issued a notification stating that the Petya ransomware is “more dangerous and intrusive” than WannaCry. In an advisory posted on its website, SingCERT states: “It’s more dangerous and intrusive as its behavior is to encrypt the Master File Tree tables for NTFS partitions. Petya spreads via email spam with booby-trapped office documents. The documents, once opened, will download and run the Petya installer and execute the SMB worm to spread to other computers.”
A joint statement by the Cyber Security Agency in Singapore and the Government Technology Agency of Singapore issued on Wednesday evening noted: “None of Singapore’s 11 critical information infrastructure sectors were affected; our government systems have not been affected.”
“After news of last night’s attack, CSA promptly alerted our CII sectors about Petya and provided them with technical data, such as indicators of compromise, so that they could check their networks and systems,” the statement notes. “Similarly, advisories were issued to businesses and public on the steps that they can take to counter this threat.”