Peyta, WannaCry and the future of global cyber attacks
3 July 2017
It’s been mere weeks since the outbreak of WannaCry, a global ransomware attack which left many organisations’ IT infrastructure in lockdown, but this week companies worldwide are again reporting that they have been struck by another major cyber attack.
Late on Monday night, the first reports surfaced of another global cyber attack. This time the attack began in Ukraine and appears to have spread through a hacked Ukrainian accountancy software developer to companies in Russia, Western Europe, the US and Australia.
Around 2,000 individuals and organisations worldwide have reportedly been affected including advertising firm WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk.
Infected computers displayed a screen warning users that their files were encrypted and no longer accessible, and demanded a $300 ransom, paid in Bitcoin, to release the decryption key.
How did it happen?
Initially, it was believed this outbreak was the result of a new version of “Petya”, a piece of ransomware that emerged last year. But in the hours after the outbreak security researchers noticed that the resemblance between Petya and this malware was only “skin deep”.
Kaspersky Lab reported that they believed this malware to be “new” and dubbed it “NotPetya”, a tongue-in-cheek name based on the fact that both outbreaks share a similar amount of code. Others have also referred to the outbreak as “Petna”, “Pneytna” and “Goldeneye”.
Worryingly experts are suggesting that this latest outbreak of malware is taking advantage of the same weaknesses used by the WannaCry attack last month. Like WannaCry, “NotPetya” utilises the EternalBlue vulnerability in Microsoft Windows to move through the network, infecting other machines and systems as it goes by injecting malicious code into them. However, unlike WannaCry it does not contain the code which enables it to leave the network once it has spread.
Microsoft did release a patch for this vulnerability, even for operating systems which were no longer under support – which is incredibly rare in itself – this latest attack suggests that many companies did not apply it. Security experts have said this is partly because WannaCry was tackled so quickly, but also because industrial firms struggle to apply software patches quickly as their systems cannot have downtime.
The motive of malware
Now the dust is beginning to settle and there’s been time to analyse Tuesday’s outbreak it’s being suggested that although “NotPetya” bears all the hallmarks of ransomware it, in fact, has a much more sinister motive – to permanently destroy data.
By its very definition ransomware is designed to make money by holding data hostage, and only releasing that data once the victim pays the fee. Yet with “NotPetya” there’s very little money to be found, with one security researcher, who goes by the handle “the grugq”, stating that “the malware’s advanced intrusion techniques was in stark contrast to its rudimentary payment structure”. Some of the elements researchers have flagged include:
- Designed to overwrite the master boot record, meaning even with a decryption key it would be impossible to restore disks
- The ransom note does not display a “personal infection ID” which attackers need to decrypt a paying user’s computer
- Used a single bitcoin address to receive bitcoin payments
- Required victims to manually type a long string of human-unfriendly characters into an email address – typically avoided as it decreases the likelihood of payment
There have been differing opinions on the motive behind “NotPetya”. Some researchers are speculating that it looks like a “state-sponsored” or a “state operating through proxy” attack, as the infections seem to specifically target Ukraine’s vital institutions, such as its central bank, airport and metro transport, rather than focusing on more lucrative targets.
Another suggestion is that Tuesday’s attack was “a lure to control the media narrative, especially after the WannaCry incidents to attract attention to some mysterious hacker group”.
The future of global cyber attacks
As society becomes increasingly connected and ever more reliant on technology, this wave of global cyber attacks raises questions about the future for businesses.
Traditionally you would have people who would hack for “fun”, just to prove that they could enter a company’s systems. Now the majority of today’s hackers are looking for financial gain, using the threat of locked-down systems or the release of sensitive data to extort payment from a business. However, if we are entering an era whereby businesses are attacked simply to cause the maximum damage possible then it is right to be concerned.
In the case of ransomware sometimes businesses may take the decision to pay the ransom being demanded, simply because it will cost them less that losing a day’s worth of productivity – even if they dislike the idea of responding to ransom demands. However, if you now have malware which simply poses as ransomware, it changes things. In this case, even if a company responds to the demands it won’t guarantee the return of their files and, depending on their policies, who knows how much data could be permanently destroyed.
There is no doubt that “NotPetya” was a sophisticated piece of malware, designed to “spread fast and cause damage with a plausibly deniable cover of ransomware”, and it does raise questions about potential attacks in the future and the motives behind them, e.g. cyberterrorism, revenge, geopolitics etc.
Can anything be done?
Although the increase in cyber attacks, and their global reach, is concerning, as always there are steps businesses can take to secure their systems.
On a day-to-day level, you should ensure that all your systems and software remain up to date, you apply the latest patches when they are released and you are running up to date Anti-Virus and Firewall solutions. Staff training also plays an important role. With email and social engineering popular methods of attack, it’s vital that they understand how to recognise potential threats and how to respond in those situations.
Backups are critical, but they need to organised in a particular way to be “ransomware-proof”. A three-tier approach, which comprises short, medium and long-term backups, is a more reliable way to protect your data:
- Short Term – Constant backups of files through a file/block level replication service, or on your own network but with proprietary protocols so the backup isn’t visible to attackers.
- Medium Term – Regular backups of systems and data onto easily accessible storage devices that are logically isolated from the rest of the network
- Long Term – Offline, encrypted storage, physically isolated from the rest of your company and users. These backups are less frequent and comprehensive but are there in the case of an emergency if your company needs to recover everything.
Alongside this, you should also run regular tests of your backups to ensure all is working as it should be, and malware scanning in case ransomware enters the systems and hides in encrypted files when they are backed up – this will help prevent users from being stuck in a continual loop of backup-restore-encrypt.
Those businesses who are particularly reliant on certain systems, or who deal with large quantities of sensitive information or have access to significant funds may want to go further and consider advanced security solutions.