Golden Eye aka Petya ransomware: One week later
Recent large-scale ransomware attacks, have reinforced the belief that there is lack of accountability and emphasis on basic IT and security fundamentals or hygiene.
The latest attack by the Petya ransomware, leverages two exploits, one of which is the Eternal Blue exploit which leveraged vulnerabilities in Microsoft’s software and was the basis for the first global-scale WannaCry attack, just the month before. Petya is reported to have spread to some 65 countries.
A ransomware attack every month or every week? Is this going to be the New Normal? Maybe for some businesses, it already is, because really, how many attacks are actually reported?
Microsoft has reacted accordingly, and a statement which they released goes like this:
“Microsoft’s antivirus software detects and protects against this ransomware. Our initial analysis found that the ransomware uses multiple techniques to spread, including one which was addressed by a security update (MS17-010) previously provided for all platforms from Windows XP to Windows 10.”
Last month, the software company had also released patches for unsupported systems like Windows XP which gave rise to speculation and reports that Microsoft has information or at least an idea that another WannaCry-like attack was in the horizon.
That is fast becoming a moot point, because ransomware is a very lucrative criminal endeavour – attacks and even large-scale onse are likely to happen on a more regular basis from now on.exploits
The Microsoft statement goes on to say: “As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers.”
More vicious, more at stake
According to cybersecurity provider Symantec, Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR). This way, the malware crashes the machine, and doesn’t allow the user to boot up the machine again.
In this latest attack, a ransom note is displayed on infected machines, demanding that $300 in bitcoins be paid to recover files.
Unlike WannaCry, there is also more at stake with the Petya attack. It is unclear how victims are selected and whether the random attacks are by choice.
For example, Ukraine’s critical infrastructures – its state power company, metro system and its main airport in Kiev were affected – with computer systems unable to boot up, one can only imagine the chaos and disruption it must have caused to the population that were affected.
The Chernobyl nuclear power plant was also hit, and have had to resort to manual monitoring of radiation levels after its sensors shut down. In this instance, human lives become prominently at stake, because critical sensors in the nuclear power plant have been rendered useless.
A BBC.com article reports that industrial firms have difficulty applying software patches quickly enough, because they cannot afford the downtime it requires.
In the same article, Veracode’s Chris Wysopal noted that only two vendors are able to detect the virus, so far.
Unpatched systems that rely on antivirus, are left vulnerable to the malicious Petya.
Petya’s propagation seems to have halted.
According to Microsoft’s blog: ” Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent dangerous trend with attackers, and it requires advanced defense.”
It also shared the malware’s method of spreading across a local network:
“The ransomware spreading functionality is composed of multiple methods responsible for stealing credentials or re-using existing active sessions, using file-shares to transfer the malicious file across machines on the same network, using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines.”
Unlike WannaCry which used the Internet to spread itself, the Petya ransomware moved across local area networks only.