Petya Ransomware Wreaks Havoc Across The Globe

by Moumita Deb Choudhury    Jun 28, 2017

cyber crime

Perhaps it is an ardent call for all enterprises and organizations that above and beyond every technology, security must be prioritized and built robust. In May, ransomware Wannacry overhauled innumerable computers around the world, demanding huge amount of cryptocurrency to give back access to files of the owners. And now a fresh piece of Wannacry like ransomware dubbed Petya is doing rounds and paralyzing organizations globally. A massive outbreak was caused by malicious software update for M.E. Doc, a accounting software used by Ukrainian companies on Tuesday.

The magnitude of infliction:

This new strain of malware sometimes referred to as Petrwrap, apart from inflicting Ukraine also encrypted systems in Australia, United States, Poland, Netherlands, Norway, Russia, India, Denmark and Spain.

The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: “On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!”

The cyber-assault cracked down upon several hospitals, government offices, petroleum companies, shipping firms and multinational corporates. The cyber-criminals demanded 300 Bitcoins to decrypt.

The initial analysis of the artifacts and network traffic at victim networks indicate that a modified version of the EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems, said a FireEye blogpost.

According to security experts, the two massive cyber-attacks in the consecutive months, have factors in common. Both spread using digital lock picks originally created by the NSA and later published to the web by a mysterious group called Shadowbrokers.

Microsoft came up with a security measure in March, But Chris Wysopal, Chief Technology officer at the security firm Veracode, said it can only be effective if every single computer on a network were patched, or else even a single encrypted system could infect rest of the lot.

The pace of the outbreak slowed down as the day waned out, one reason being it required direct contact between computer networks, a factor that may have confined its spread in regions with fewer connections to Ukraine.

Ryan Kalember, a security expert at Proofpoint noted that a reason the attacks are slowing down is that the ransomware spreads only when there is direct contact between two networks.

But once it infects a computer on a network, it spreads quickly, even among computers that have applied security for the NSA exploit.

“It’s more harmful to the organisation that it affects, but because it’s not randomly spreading over the internet like WannaCry, it’s somewhat contained to the organisations that were connected to each other,” said, Kalember.

India tumble story:

Operations at one of the country’s largest container port Jawaharlal Nehru Port Trust in Mumbai crippled on Tuesday night as a result of the ransomware assault.

AP Moller-Maersk is one of the affected entities globally which operates the Gateway Terminals India (GTI) at JNPT, which has boost to handle 1.8 million standard container units.

“We have been informed that the operations at GTI have come to a standstill because their systems are down (due to the malware attack). They are trying to work manually,” a senior JNPT official told PTI.

A Hague-based APM Terminal also runs the Pipavav terminal in Gujarat. As per media reports, an APM spokesperson refused to comment on the India impact of the attack.

“We can confirm that Maersk’s IT systems are down across multiple geographies and business units due to a cyber attack. We continue to assess the situation. The safety of our employees, our operation, and our customers’ businesses is our top priority. We will update when we have more information,” the spokesperson said in a written statement issued globally.

Malware under the name Petya has been in existence since 2016, with Symantec saying it differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record.

“An important takeaway is the undeniable trend in the increasing ease by which attackers can penetrate the perimeter and get inside of corporate infrastructure. Perhaps even more important to consider is the motivation behind the attack and the harm intended on the target. In this case it was to hold companies ransom for $300; it could have been much worse,” said Matt Moynahan, CEO of Forcepoint.

He added, if we do not invest in the cybersecurity of our critical infrastructure we will continue to see massive attacks with economic, employee and public safety ramifications.  From the government to the boardroom, leaders need to make cyber resiliency a requirement, putting focus and funding behind it.  While the perception may be that if we criminalize cyberattacks we will inhibit innovation, the reality is that if we do not treat cyber crime more seriously, attacks like WannaCry and Petya will start to feel even more commonplace than they already do.