Petya More Lethal Than Wannacry: India On A ‘Restore’ Mission

by Moumita Deb Choudhury    Jun 29, 2017

Petya

The second seismic ransomware attack this year is still raging bringing cyber normalcy to a halt, but the impact is slowing down as counter procedures are being worked upon. Petya’s fallout is expected to be gruesome than Wanncry, which mainly locked out a lot of intellectual property, but the former is not only exploiting the same EternalBlue vulnerability but has added to the loop that was exposed from prior leaks.

Petya encrypts the MFT (Master File Tree) tables and overwrites the MBR (Master Boot Record) leaving the victims unable to boot their computers rendering it unusable and prevents users from retrieving any information on it.

India seeks remedies

Indian corporates and PSUs have registered a big impact from the Petya strike trying to retrieve lost assets at the earliest.

Mainly corporates which are not in high-tech are more vulnerable as they have lots of legacy OS installations that were ignored as they were used for non-intensive purposes like data entry.” Rakesh Kumar Singh, Datacenter lead, Juniper Networks India.

The government is working with Danish firm AP Moller-Maersk to bring back normalcy that was disrupted by the cyber assault at the Jawaharlal Nehru Port Trust (JNPT) port.

Read More: Petya Ransomware Wreaks Havoc Across The Globe

Speaking to PTI, National Cyber Security Coordinator Gulshan Rai said he along with state and port authority officials are at the spot to gage the situation.

“We are here to assess the situation and damage that has been caused to the systems of the Danish company. We are looking at how fast it can be restarted (at the terminal),” he said. 

AP Moller-Maersk is one of the affected entities globally which operates the Gateway Terminals India (GTI) at JNPT, which has boost to handle 1.8 million standard container units.

A Hague-based APM Terminal also runs the Pipavav terminal in Gujarat. As per media reports, an APM spokesperson refused to comment on the India impact of the attack.

Meanwhile, in a post on its website, AP Moller-Maersk said it has “contained” the issue and is working on a technical recovery plan with key IT partners and global cyber security agencies. “We have shut down a number of systems to help contain the issue. Precautionary measures have been taken to ensure continued operations,” it added.

The government has issued advisories to all critical sectors to take caution against any possible threats. According to reports, India’s nodal cyber security agency CERT-In is also engaging with international agencies in this regard.

How to secure networks:

Regular pathing of operating system is a must, including the one in Microsoft MS17-010 bulletin, not just on laptops or desktops but for all portable devices like mobile and tablets.

“Also it is a wakeup alert for all SMBs who avoided moving away from out-of-support operating systems. The main learning is that critical data should not be residing on user desktops,” said Kumar Singh.

He added that instead, Cloud based solutions should be adopted which ensures that the relevant data is made available to the user on demand but the storage of data itself is always on the cloud where it is easier to put security and anti-malware defenses.

Consider blocking the Microsoft PsExec tool from running on users’ computers.

“Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line, which is an interface that simplifies the use of Windows Management Instrumentation,” said, Nilesh Jain, Country Manager (India and SAARC), Trend Micro.

Back up regularly and keep a recent backup copy off-site. “There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands,” said, Sunil Sharma, Vice President – Sales at Sophos, India & SAARC, adding that one should also not open attachments in emails from unknown receipts.

Marina Kidron, head of the Skybox Security Research Lab said, it appears Petya is learning from its earlier variants’ and WannaCry’s mistakes. Cybersecurity needs to do the same. For critical infrastructure organizations that are dealing with mass–scale complexity between IT and OT networks, gaining visibility to the network paths and access between those environments is crucial.

Understanding how to effectively segment your organization, control access and neutralize threats posed by vulnerabilities is more important now than ever.