Petya - the new ransomware taking the cyber world by storm

While 2016 was marked by extraordinary attacks, including multi-million dollar virtual bank heists, 2017 is no less. Just a month after WannaCry locked up thousands of computers, a new wave of ransomware attacks are targeting users across the world, including India and Europe. It’s the second major global ransomware attack in the last two months. Consumer, shipping, aviation and oil & gas companies were hit in the UK, Russia, France, Spain and elsewhere.

Petwrap, believed to be an advanced version of an old ransomware known as Petya, locked the computer screens of as many as 20 companies globally with $300 being demanded to be paid in Bitcoin to free them up.

Advertsising company WPP, food company Mondelez, legal firm DLA Piper, French construction materials company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft Maersk and Danish shipping and transport firm Maersk are some of the companies targeted by the ransomware, causing serious disruptions according to people aware of the matter. Indian subsidiaries of UK and Russia-based oil and gas, energy and aviation companies were also hit.

Like WannaCry ransomware attack that affected more than 2, 30,000 computers in over 150 countries, with the UK’s National Health Service, Spanish phone company Telefonica and German state railways among those hardest hit, Petya spreads rapidly through networks that use Microsoft Windows. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one.

Top 20 countries based on numbers of affected organizations

According to the Ukrainian Cyber Police, the attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use. The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine.

According to a Symantec study, there has been a 36% increase in ransomware attacks in 2016, with 3x as many as new ransomware families coming to the block. It has also been observed that attackers target those countries that can pay the highest ransom.
 
How does the industry reacts?
Sophos in its statement said that Petya (or Petrwrap/Petyawrap) was first discovered in 2016 – it is ransomware that encrypts MFT (Master File Tree) tables and overwrites the MBR (Master Boot Record), dropping a ransom note and leaving victims unable to boot their computer. “This new variant is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected.” 

Kaspersky Lab experts on the other hand aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can. It also advises all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.

Rana Gupta, Vice President – APAC Sales, Identity and Data Protection, Gemalto opines, “Because data is the new oil in the digital economy, ransomware attacks that restrict access to important data until the attacker is paid are becoming increasingly common. However, neither businesses nor individuals should pay ransoms to unlock any files that have been affected by a ransomware attack, as this incentivises and rewards these kinds of attacks. In order to prevent becoming a victim of a ransomware attack, data should be backed-up and encrypted, and stored away from the network the rest of the data is stored on. This means that, in the event that a ransomware attack locks someone out of their files, they will have secure copies available. By doing this, the victim would be able to return to business-as-usual quickly and efficiently.”

Aamir Lakhani, Senior Security Strategist at Fortinet points out that Petya uses the same attack vector as WannaCry, exploiting the identical Microsoft vulnerabilities that were uncovered by the Shadow Brokers earlier this year. “There are a couple of really interesting aspects to this attack. The first is that, in spite of the highly publicized disclosure of the Microsoft vulnerabilities and patches, and the world-wide nature of the follow-up WannaCry attack, there are apparently still thousands of organizations, including those managing critical infrastructure that have failed to patch their devices. The second is that this may simply be a test for delivering future attacks targeted at newly disclosed vulnerabilities.”

From a financial perspective, WannaCry was not very successful, as it generated very little revenue for its developers. This was due, in part, because researchers were able to find a kill switch that disabled the attack. Petya’s payload, however, is much more sophisticated, though it remains to be seen if it will be more financially successful than its predecessor.
Sharing her views, Sharda Tickoo, Technical Head, Trend Micro India says, “In India, so far we have no cases of Petya that have been reported to us. The countries most affected are Europe, typically Ukraine and Russia. We would recommend the companies to maintain an important hygiene of regularly taking back-up of necessary data and proactively monitor the systems for any suspicious activity. And most importantly, because it is a ransomware, we have to secure the email gateway first. There are also certain URL categorizations employed in work environment which can block access to malicious codes. Ensure that all the workstations have least privilege unless any workstation actually requires administrator privilege, as the ransomware spreads and tries to escalate the privileges.”

After the attacks, the IT Advisory/Risk Advisory team at BDO India released an advisory alert which says that the malware called, "Petya" or which security researchers are calling "NotPetya”, differs from typical ransomware as it doesn’t just encrypt files, but it also overwrites and encrypts the master boot record (MBR)1. “The attack appears to have been initially seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use, according to the Ukrainian Cyber Police. Like WannaCry, NotPetya is spreading rapidly through networks that use Microsoft Windows and has already affected large number of companies, organizations and government entities on an international scale. As of today, 36 payments have already been made falling prey to this attack,” it read.

Sivarama Krishnan, Partner & Leader, Cyber Security - PwC India observes that there are three propagation attack vectors which has been observed that the current variants of the ransomware is using - Eternal blue - exploiting the MS17-010 vulnerability; Admin$ and WMI. “The worm spreads only within the subnet of initially infected host. Infection from internet systems may be limited (however this is yet to be confirmed for all variants). The system goes for a shutdown before being encrypted. In case in system has shut down automatically without user intervention - do not restart it. Isolate it and involve IR teams for disk imaging/analysis as necessary,” says Sivarama.

“The second ransomware attack less than a month from WannaCry, has brought to light how the speed of attacks has changed dramatically,” says Kartik Shahani, Integrated Security Leader, IBM India/South Asia. “Petya shows the attackers have learned from WannaCry, and have updated it be more powerful. What makes Petya different is that unlike WannaCry, the ransomware can also infect patched systems on connected networks using Windows Management Instrumentation Command-line (WMIC) and PsExec, a remote command tool from Microsoft. Companies need to ensure that all systems with network access in the organization are patched for the Microsoft vulnerabilities. If infected, the first step is to disconnect the devices from the network and shut them down immediately to lessen the damage. While many companies may be tempted to pay ransom to get their systems back online, there are no guarantees that people who did pay the ransom will receive their files back.”

Rakesh Kumar Singh, Datacenter lead, Juniper Networks India contends, “Mainly corporates which are not in high-tech are more vulnerable as they have lots of legacy OS installations that were ignored as they were used for non-intensive purposes like data entry. We saw that lots of intellectual property data was locked out during the WannaCry event. Since Petya is not only exploiting the same ‘EternalBlue’ vulnerability but additional known vulnerability that was exposed from prior leaks, we are expecting a wider impact this time. We are also expecting that lots of home users would be affected too. It is a wakeup alert for all SMBs who avoided moving away from out-of-support operating systems. The main learning is that critical data should not be residing on user desktops.”

Amit Jaju, Executive Director, Fraud Investigation & Dispute Services, EY India says, “The recent cyber-attack through the strain of Petra Ransomware – now called PetWrap has hit many global companies through a software update from an Eastern European company. We have seen that the ransomware could be lethal as it encrypts the master boot record and hard drive, making it quite impossible to recover individual files once the entire hard drive is encrypted. While the total encryption process may take over an hour to complete, even a ten minute window could be sufficient for the ransomware to make the entire hard drive unusable.”

And so...
India is responding positively with no major impact on our businesses. During the last attack, the government activated the ‘preparedness and response mechanism’, which turns to India learning two important lessons from this situation -

• To be always prepared: companies need to constantly stay up to date for plausible treats that could come their way
• To have the armour to face such threats: the IT space needs to have enough skilled labour to counter such acts efficiently. These lessons should be implemented effectively and maintained as a hygiene for all companies henceforth.