Petya Ransomware Wreaks Havoc Across The Globe

CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic VulnerabilitiesAll VulnerabilitiesCrypto VulnerabilitiesNetwork

cyber crime

Perhaps it is an ardent call for all enterprises and organizations that above and beyond every technology, security must be prioritized and built robust. In May, ransomware Wannacry overhauled innumerable computers around the world, demanding huge amount of cryptocurrency to give back access to files of the owners. And now a fresh piece of Wannacry like ransomware dubbed Petya is doing rounds and paralyzing organizations globally. A massive outbreak was caused by malicious software update for M.E. Doc, a accounting software used by Ukrainian companies on Tuesday.

The magnitude of infliction:

This new strain of malware sometimes referred to as Petrwrap apart from inflicting Ukraine also encrypted systems in Australia, United States, Poland, Netherlands, Norway, Russia, India, Denmark and Spain.

The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: “On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!”

The cyber-assault cracked down upon some hospitals, government offices, petroleum companies, shipping firms and multinational corporates. The cyber-criminals demanded 300 Bitcoins to decrypt.

The initial analysis of the artifacts and network traffic at victim networks indicate that a modified version of the EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems, said a FireEye blogpost.

According to security experts, the two massive cyber-attacks in the consecutive months, have factors in common. Both spread using digital lock picks originally created by the NSA and later published to the web by a mysterious group called Shadowbrokers.

The pace of the outbreak slowed as the day waned out, one reason being it required direct contact between computer networks, a factor that may have confined its spread in regions with fewer connections to Ukraine.

Ryan Kalember, a security expert at Proofpoint noted that a reason the attacks are slowing down is that the ransomware spreads only when there is direct contact between two networks.

But once it infects a computer on a network, it spreads quickly, even among computers that have applied security for the NSA exploit.

“It’s more harmful to the organisation that it affects, but because it’s not randomly spreading over the internet like WannaCry, it’s somewhat contained to the organisations that were connected to each other,” said, Kalember.

India tumble story:

Operations at one of the country’s largest container port Jawaharlal Nehru Port Trust crippled on Tuesday night as a result of the ransomware assult.

AP Moller-Maersk is one of the affected entities globally which operates the Gateway Terminals India (GTI) at JNPT, which has boost to handle 1.8 million standard container units.

“We have been informed that the operations at GTI have come to a standstill because their systems are down (due to the malware attack). They are trying to work manually,” a senior JNPT official told PTI.

A Hague-based APM Terminal also runs the Pipavav terminal in Gujarat. As per media reports, an APM spokesperson refused to comment on the India impact of the attack.

“We can confirm that Maersk’s IT systems are down across multiple geographies and business units due to a cyber attack. We continue to assess the situation. The safety of our employees, our operation, and our customers’ businesses is our top priority. We will update when we have more information,” the spokesperson said in a written statement issued globally.