Petya outbreak evidence that cyber attacks are getting more sophisticated, dangerous

Organizations must do more than patch security to stave off disaster

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Anti-virus firms and IT depart­ments strug­gled all week to get the Petya ran­somware out­break under control.

There’s still some debate about how it works and how it spreads. But in some ways, the virus, also referred to as Gold­en­Eye, is even more pow­er­ful, and nas­ti­er, than WannaCry.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of

The list of vic­tims is impres­sive, and alarm­ing. Petya hit big banks, law firms, ship­ping com­pa­nies, and even nuclear facil­i­ty Chernobyl.

Accord­ing to secu­ri­ty firm Bit­de­fend­er, they include: “Chernobyl’s radi­a­tion mon­i­tor­ing sys­tem, DLA Piper law firm, phar­ma com­pa­ny Mer­ck, a num­ber of banks, an air­port, the Kiev metro, Dan­ish ship­ping and ener­gy com­pa­ny Maer­sk, British adver­tis­er WPP and Russ­ian oil indus­try com­pa­ny Ros­noft. The attacks were wide­spread in Ukraine, affect­ing Ukren­er­go, the state pow­er dis­trib­u­tor, and sev­er­al of the country’s banks.”

Relat­ed sto­ry: What Wan­naCry sig­nals for attacks using nation-state cyber weapons

Petya is both more viral and nas­ti­er because it doesn’t rely only on the so-called Eter­nal Blue vul­ner­a­bil­i­ty to spread—that’s the flaw found by the NSA that was leaked and pow­ered WannaCry.

Once a machine on a net­work is infect­ed, Petya can use a Win­dows util­i­ty tool to spread to oth­er machines, even if they are patched against Eter­nal Blue, accord­ing to secu­ri­ty firm BeyondTrust. It also appears to arrive at many infect­ed firms via phishing.

One sys­tem starts mass infection

Petya is dif­fer­ent and could be much worse,” said Morey Haber, vice pres­i­dent of tech­nol­o­gy at BeyondTrust.”The main take­away is that Wan­naCry only had one method to prop­a­gate. If a resource was patched, SMB was not exposed to the inter­net, or the user was run­ning a mod­ern OS (like) Win­dows 10, the ran­somware threat was mit­i­gat­ed. Petya builds on top of this by ini­tial­ly deploy­ing in mass via email, and it only takes one sys­tem to begin the infection.”

Vic­tims see a mes­sage warn­ing that their files are inac­ces­si­ble, and can only be restored by pay­ing $300 in bitcoins.

If you see this text, then your files are no longer acces­si­ble, because they have been encrypt­ed. Per­haps you are busy look­ing for a way to recov­er your files, but don’t waste your time. Nobody can recov­er your files with­out our decryp­tion ser­vice,” the virus mes­sage says.

Recov­ery not so easy

Petya also is nasty because in addi­tion to encrypt­ing files, it also encrypts the infect­ed computer’s mas­ter boot record, mak­ing recov­ery even more difficult.

The U.S. Depart­ment of Home­land Secu­ri­ty said it is mon­i­tor­ing the sit­u­a­tion. While there are reports of indi­vid­ual U.S. com­pa­nies being hit, infec­tions appear more preva­lent in Europe.

US-CERT has received mul­ti­ple reports of Petya ran­somware infec­tions occur­ring in net­works in many coun­tries around the world,” said DHS in a state­ment. “Indi­vid­u­als and orga­ni­za­tions are dis­cour­aged from pay­ing the ran­som, as this does not guar­an­tee that access will be restored. Using unpatched and unsup­port­ed soft­ware may increase the risk of pro­lif­er­a­tion of cyber­se­cu­ri­ty threats, such as ransomware.”

U.S. still scram­bling on security

Petya actu­al­ly was ini­tial­ly dis­cov­ered in 2015; most ana­lysts say it was updat­ed after WannaCry’s suc­cess. Oth­ers are call­ing the attack an entire­ly new piece of malware.

The out­break is yet anoth­er sign U.S. secu­ri­ty is unpre­pared for the kinds of cyber attacks that are becom­ing more common.

Orga­ni­za­tions are still not patch­ing in a time­ly man­ner across all assets, and end users still have admin­is­tra­tive rights,” Haber said. “The com­bi­na­tion is how Petya is becom­ing a dev­as­tat­ing threat and mak­ing orga­ni­za­tions real­ize the strat­e­gy of patch­ing servers only is not acceptable.”

More sto­ries relat­ed to cyber attacks:
Why Wan­naCry por­tends com­ing surge in attacks launched via self-spread­ing worms
Why inse­cure soft­ware is the root of all problems
Man­ag­ing sur­pris­es before they hap­pen is key to effec­tive cybersecurity
Steps to avoid being infect­ed by the ran­somware pandemic


Posted in Featured Story, Fresh vulnerabilities