Petya ransomware attack: what is it and how can it be
stopped?
any organizations in Europe and the US have
been crippled by a ransomware attack dubbed “Petya”. The malicious software has
spread through large firms including the advertiser WPP, food company Mondelez,
legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to
PCs and data being locked up and held for ransom.
It’s the second major global ransomware attack
in the last two months. In early May, Britain’s National Health Service (NHS)
was among the organizations infected by WannaCry, which used a
vulnerability first revealed to the public as part of a leaked stash of
NSA-related documents released online in April by a hacker group calling itself
the Shadow Brokers.
'Petya' ransomware attack strikes companies across
Europe and US
The WannaCry or WannaCrypt ransomware attack affected
more than 230,000 computers in over 150 countries, with the UK’s national
health service, Spanish phone company Telefónica and German state railways
among those hardest hit.
Like WannaCry, Petya spreads rapidly through networks
that use Microsoft Windows, but what is it, why is it happening and how can it
be stopped?
What is
ransomware?
Ransomware is a type of malware that blocks
access to a computer or its data and demands money to release it.
How
does it work?
When a computer is infected, the ransomware
encrypts important documents and files and then demands a ransom, typically in
Bitcoin, for a digital key needed to unlock the files. If victims don’t have a
recent back-up of the files they must either pay the ransom or face losing all
of their files.
How
does the Petya ransomware work?
The Petya ransomware takes over computers and
demands $300, paid in Bitcoin. The malicious software spreads rapidly across an
organization once a computer is infected using the EternalBlue vulnerability in
Microsoft Windows (Microsoft has released a patch, but not everyone will have
installed it) or through two Windows administrative tools. The malware tries
one option and if it doesn’t work, it tries the next one. “It has a better
mechanism for spreading itself than WannaCry”, said Ryan Kalember from
cybersecurity company Proofpoint.
Hackers publish
private photos from cosmetic surgery clinic
Where
did it start?
The attack appears to have been seeded through
a software update mechanism built into an accounting program that companies
working with the Ukrainian government need to use, according to the Ukrainian
Cyber Police. This explains why so many Ukrainian organizations were
affected, including government, banks, state power utilities and Kiev’s airport
and metro system. The radiation monitoring system at Chernobyl was also taken
offline, forcing employees to use hand-held counters to measure levels at the
former nuclear plant’s exclusion zone.
How far
has it spread?
The “Petya” ransomware has caused serious
disruption at large firms in Europe and the US, including the advertising firm
WPP, French construction materials company Saint-Gobain and Russian steel and
oil firms Evraz and Rosneft. The food company Mondelez, legal firm DLA Piper, Danish
shipping and transport firm AP Moller-Maersk and Heritage Valley Health System, which runs
hospitals and care facilities in Pittsburgh, also said their systems had been
hit by the malware.
So is
this just another opportunistic cybercriminal?
It initially looked like Petya was just
another cybercriminal taking advantage of cyberweapons leaked online. However,
security experts say that the payment mechanism of the attack seems too
amateurish to have been carried out by serious criminals. Firstly, the ransom
note includes the same Bitcoin payment address for every victim – most
ransomware creates a custom address for every victim. Secondly, Petya asks
victims to communicate with the attackers via a single email address which has
been suspended by the email provider after they discovered what it was being
used for. This means that even if someone pays the ransom, they have no way to
communicate with the attacker to request the decryption key to unlock their
files.
UK energy industry cyber-attack fears are 'off the
scale'
OK, so
then who is behind the attack?
It’s not clear, but it seems likely it is
someone who wants the malware to masquerade as ransomware, while actually just
being destructive, particularly to the Ukrainian government. Security
researcher Nicholas Weaver told cybersecurity blog Krebs on Security that
Petya was a “deliberate, malicious, destructive attack or perhaps a test
disguised as ransomware”.
Ukraine has blamed Russia for previous
cyber-attacks, including one on its power grid at the end of 2015 that left
part of western Ukraine temporarily without electricity. Russia has denied
carrying out cyber-attacks on Ukraine.
What
should you do if you are affected by the ransomware?
The ransomware infects computers and then
waits for about an hour before rebooting the machine. While the machine is rebooting,
you can switch the computer off to prevent the files from being encrypted and
try and rescue the files from the machine.
No comments:
Post a Comment