Security experts are warning that a quick-spreading new ransomware attack may have more tricks up its sleeve than the previous WannaCry software that crippled thousands of computers worldwide last month.
Modified strain:
The new strain, which has similarities to a well-known software called Petya but may be a modified or wholly new version, has already caused a significant amount of damage in Europe, has moved to the US and is starting to make itself known in Australia.
Local companies, services and individuals especially those whose computers are connected to big networks but have not received security updates in some time are at risk of having their files locked and held to ransom as the infection inevitably spreads to Australia through international networks.
“The early indications are that it’s exploiting multiple vulnerabilities that have been patched for years”, Australian security expert Troy Hunt told Fairfax Media.
“Unpatched systems are definitely still at risk”.
Several companies impacted:
Several prominent companies and services across the globe have already been impacted by this new ransomware, with computers locked up and displaying a distinctive red block of text asking for payment in Bitcoin. In Australia, local arms of international companies that have been affected are scrambling to stop the infection spreading.
Situation monitored:
Dan Tehan, federal minister for cyber security, said Australia and its Five Eyes partners were monitoring the situation.
“It is probable that there will be Australian businesses or organisations that become affected”, Tehan said.
“So far there has been public reporting of two businesses but we are working to confirm those and offer assistance. At this stage, we haven’t had any official reports of businesses being impacted”.
As of this morning, shipping company TNT also appeared affected, with some of its systems unavailable and its website stating that “like many companies and institutions around the world” it was experiencing “interference”.
Ukraine takes a major hit:
While numerous European and American companies have been hit directly, the most damage so far appears to have been done in the Ukraine, where the state power company and main airport were among the first to report issues.
Ukraine’s central bank warned financial firms across the country that an unknown virus hit the sector, creating problems for banks and customer service.
Officials at Ukraine’s postal service and metro system in Kiev also reported hacking problems.
Ukraine’s vice prime minister, Pavlo Rozenko, tweeted a screenshot of his malfunctioning computer saying computers at the Cabinet of Ministers had been affected.
According to security firm Cisco Talos, the ransomware initially infected MeDoc, a piece of Ukrainian accounting software. MeDoc then sent an infected file to customers. It spread to other computers on companies’ networks by leveraging software holes. Ukranian officials confirmed the MeDoc link.
Powerplant compromised – Monitored manually:
As per Report that even the Chernobyl nuclear power plant has been hit, with staff being forced to monitor radiation levels manually after the computers that run the plant’s sensors were impacted.
Analysis of the Bitcoin wallet listed on the ransom demand shows that at least some victims have paid up in order to unlock their files, but many experts are now advising users and businesses against sending the money. Berlin-based email provider Posteo says it has disabled the email address attackers were using to receive the Bitcoins, meaning they may now have no way of restoring encrypted files to their victims.
Security giants skeptic:
Security software vendor McAfee said that the modified Petya attack had more potential to hit the general public than WannaCry, but that it had so far been mainly detected in business environments. It said it had various samples in analysis to try and work out exactly how the new strain operates.
Kaspersky Lab believes the strain is a “new ransomware that has not been seen before”, despite its strong resemblance to Petya. It has dubbed the new software NotPetya.
Regardless the new ransomware is tied to WannaCry, with several security firms confirming that it uses the same Windows vulnerability to spread through computer systems. First revealed publicly in April, this vulnerability known as Eternal Blue was patched by Microsoft in March, so any computer set to automatically install security updates is protected.
However some businesses that use specialised software don’t keep their computers up to date, as it can be costly to fix compatibility issues at large scale. Many of those businesses were hit by WannaCry, and anyone who still hasn’t installed the appropriate security updates may be at risk from this new attack as well.
Embedded systems are more at risk:
Also at risk are embedded computer systems — for example those that run public infrastructure — which are often connected to networks but not updated. As recently as last week, speed cameras in Victoria were seen to be impacted by WannaCry.
While there are indications that the new Petya has more ways to move around inside a network than WannaCry had, it’s likely these also make use of known vulnerabilities that have been patched. Until it has been fully investigated, it’s difficult to say whether some systems protected against WannaCry might still be vulnerable to the new form of Petya.
While there are still a lot of details that experts are yet to uncover — including the identity of the criminals that released the attack, how the software initially breaches a computer or any other known vulnerabilities it may be exploiting — many are advising users to guard against Petya in the same way they did WannaCry: make sure the most recent Windows security updates are installed, and be vigilant in regular cyber hygiene practices including maintaining backups of your files, and not opening suspicious emails or clicking unfamiliar links.
For businesses, the specific security update needed to protect against Eternal Blue is MS17-010. In line with Microsoft’s guidance from 2016, businesses unable to patch should consider disabling SMBv1 and other legacy protocols to prevent the infection spreading.
Global giants affected:
Major global firms reported that they had been targeted, including British advertising agency WPP, Russian oil and gas giant Rosneft and Danish shipping firm Maersk.
“IT systems in several WPP companies have been affected by a suspected cyber attack,” WPP said on its Twitter account.
Maersk issued a similar statement, saying its tech systems “are down across multiple sites and business units due to a cyberattack.”
The U.S.-based pharmaceutical company Merck also said it was hit. “We confirm our company’s computer network was compromised today as part of global hack,” Merck said on Twitter.
Mondelez, the company that owns Oreos, Cadbury and many other global snack brands, reported a computer outage across its global operations. And law firm DLA Piper said it had taken down its systems in response to “a serious global cyber incident.”
The source of the attack is not yet clear. It is similar to WannaCry, which spread globally in May, but there are differences. Both asked victims to pay Bitcoin to get their files back, and both use a similar flaw to spread through networks.
The Moscow-based cybersecurity firm Group IB estimated Tuesday that the virus affected about 80 companies in Russia and Ukraine.
Group IB said the ransomware infects and locks a computer, and then demands a $300 ransom to be paid in Bitcoins.
Microsoft said it found that the ransomware is using multiple techniques to spread, including one that was addressed by the security patch released in March. It is continuing to investigate.
U.S Homeland Security monitoring attacks:
The U.S. Department of Homeland Security is also monitoring the cyberattacks.
Spokesman Scott McConnell said DHS is “coordinating with our international and domestic cyber partners. We stand ready to support any requests for assistance.” Europol said it is investigating the attack as well.
Ransomware victims are always advised not to pay ransom to get their files back because it encourage the attackers. The best way to mitigate damage from ransomware is to update operating systems and backup data.
Did you subscribe for our daily newsletter?
It’s Free! Click here to Subscribe!
Reference: CNN, The Sydney Morning Herald
