Petya outbreak evidence that cyber attacks are getting more sophisticated, dangerous
Organizations must do more than patch security to stave off disaster
By Bob Sullivan, ThirdCertainty
Anti-virus firms and IT departments struggled all week to get the Petya ransomware outbreak under control.
There’s still some debate about how it works and how it spreads. But in some ways, the virus, also referred to as GoldenEye, is even more powerful, and nastier, than WannaCry.
The list of victims is impressive, and alarming. Petya hit big banks, law firms, shipping companies, and even nuclear facility Chernobyl.
According to security firm Bitdefender, they include: “Chernobyl’s radiation monitoring system, DLA Piper law firm, pharma company Merck, a number of banks, an airport, the Kiev metro, Danish shipping and energy company Maersk, British advertiser WPP and Russian oil industry company Rosnoft. The attacks were widespread in Ukraine, affecting Ukrenergo, the state power distributor, and several of the country’s banks.”
Related story: What WannaCry signals for attacks using nation-state cyber weapons
Petya is both more viral and nastier because it doesn’t rely only on the so-called Eternal Blue vulnerability to spread—that’s the flaw found by the NSA that was leaked and powered WannaCry.
Once a machine on a network is infected, Petya can use a Windows utility tool to spread to other machines, even if they are patched against Eternal Blue, according to security firm BeyondTrust. It also appears to arrive at many infected firms via phishing.
One system starts mass infection
“Petya is different and could be much worse,” said Morey Haber, vice president of technology at BeyondTrust.”The main takeaway is that WannaCry only had one method to propagate. If a resource was patched, SMB was not exposed to the internet, or the user was running a modern OS (like) Windows 10, the ransomware threat was mitigated. Petya builds on top of this by initially deploying in mass via email, and it only takes one system to begin the infection.”
Victims see a message warning that their files are inaccessible, and can only be restored by paying $300 in bitcoins.
“If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service,” the virus message says.
Recovery not so easy
Petya also is nasty because in addition to encrypting files, it also encrypts the infected computer’s master boot record, making recovery even more difficult.
The U.S. Department of Homeland Security said it is monitoring the situation. While there are reports of individual U.S. companies being hit, infections appear more prevalent in Europe.
“US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world,” said DHS in a statement. “Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.”
U.S. still scrambling on security
Petya actually was initially discovered in 2015; most analysts say it was updated after WannaCry’s success. Others are calling the attack an entirely new piece of malware.
The outbreak is yet another sign U.S. security is unprepared for the kinds of cyber attacks that are becoming more common.
“Organizations are still not patching in a timely manner across all assets, and end users still have administrative rights,” Haber said. “The combination is how Petya is becoming a devastating threat and making organizations realize the strategy of patching servers only is not acceptable.”
More stories related to cyber attacks:
Why WannaCry portends coming surge in attacks launched via self-spreading worms
Why insecure software is the root of all problems
Managing surprises before they happen is key to effective cybersecurity
Steps to avoid being infected by the ransomware pandemic