Global Cyberattack Known as Petya Marks Second Attack Reported to Use ‘Shadow Brokers’ Toolkit

We shouldn’t have been surprised: WannaCry signaled more attacks were coming.

On June 27, a little more than a month after WannaCry became the first program to use purportedly leaked NSA hacking tools to launch ransomware attacks across the globe, another attack using malware followed its lead.

Many organizations hit were vulnerable because of the same exploit that allowed WannaCry to propagate.

Initial reports say the attack—launched using a potentially new strain of the Petya virus—infected more than 12,500 machines and spread to at least 64 countries, beginning in the Ukraine the night before its independence holiday. While organizations in countries including the U.K., Belgium, Brazil, Germany, France, Italy, Denmark, the Netherlands, India, Australia and the U.S. were also targets, the Ukraine bore a large proportion of the attack, and on June 28, cyber experts began questioning whether the attack’s motive was indeed profit or in fact destruction.

On the day of the attack, the actors behind Petya demanded $300 in Bitcoin from users to deliver the key to decrypt the ransomed data, payable to one Bitcoin account. As of the following morning, the unified Bitcoin account recorded 36 transactions totaling about $9,000.

But the only form of communication—and route to potentially recovering files absent backups—was shut down by the email provider shortly after news of the attack spread, preventing any future payments—or decryption keys—from being issued.

Although the Ukrainian government said it had the situation under control by evening, the country saw critical infrastructure in its energy, transportation and utilities sectors impacted, including its Chernobyl radiation monitoring facility.

Other organizations affected included Danish shipping company Maersk and Russian energy giant Rosneft.

What is Petya?

Like WannaCry, Petya is a type of malicious software that infects a computer and restricts user access to the machine.

Petya’s attack vectors include the EternalBlue exploit that reaches computers through vulnerabilities in Microsoft’s Server Message Block (SMB), known as MS17-010 SMB. It also has other attack vectors: an exploit known as EternalRomance, which targets Windows XP to 2009 systems, as well as an attack on the update to M.E.Doc, a third-party Ukrainian software product.

Unlike typical ransomware, in addition to locking individual files, Petya also cripples the entire device by overwriting and encrypting the machine’s master boot record (MBR), according to Symantec.

WannaCry 2.0

While Petya has characteristics that resemble WannaCry, it looks to be more dangerous for two reasons: First, if the infected machine has administrator access to the larger network, Petya has the ability to corrupt the organization’s entire network, reported Forbes. This enables the virus to spread at a much quicker rate and inflict greater damage than WannaCry.  According to some media reports, the virus also seems to have been designed as a “wiper” which means this variant is more dangerous in that it may have the capability to destroy data, rather than true ransomware which is designed to prevent access to data. As a result, it appears to be incapable of decrypting impacted machines in certain instances, even if the ransom is paid.

Second, a kill switch was discovered relatively quickly following the WannaCry attack, leading experts to believe it was the work of amateur attackers. On the other hand, a professional—and more rehearsed—group looks to be behind Petya, as it appears to lack the bugs found in WannaCry.

As of June 29, the actors—and motive—behind the attack remained unclear, but the incident underlines the importance of cyber vigilance.

How can organizations defend themselves?

Initial reports showed that as with WannaCry, organizations’ failure to apply the Microsoft patch for the MS17-010 vulnerability dated March 14, 2017 enabled Petya to infiltrate victims’ systems in many cases. But Petya has at least two other attack vectors outside of the EternalBlue exploit—underscoring that the Microsoft patch is not a cure-all.

“The new ransomware has worm capabilities, which allows it to move laterally across infected networks,” Microsoft said in a June 28 statement. “Based on our investigation, this new ransomware strain shares similar codes and is a new variant of [the Petya family]. This new strain of ransomware, however, is more sophisticated.”

Organizations that have not yet applied the MS17-010 patch should still do so immediately. Those using unsupported Windows operating systems including Windows XP, Windows 8 and Windows Server 2003 should follow customer guidance from Microsoft.

Until organizations can apply the patch, Microsoft issued the following workarounds to reduce the attack surface:

• Disable SMB version 1 using steps documented here.
• Consider adding a rule to your router or firewall to block incoming SMB traffic on port 445.

Microsoft also released cloud-delivered protection updates and made updates to its signature definition packages shortly after the June 27 attack. The updates were delivered to all Microsoft free antimalware products, including Windows Defender Antivirus and Microsoft Security Essentials. Organizations can download the latest version of these files manually here and should review Microsoft’s full guidance on the attack here.

Victims of the ransomware who have not yet paid the attackers should contact their local FBI Office Cyber Task Force or the FBI’s 24/7 National Cyber Watch Center (CyWatch) at (855) 292-3937 before doing so.

Additionally, the United States Computer Emergency Readiness Team (US-CERT) recommends the following risk mitigation measures:

• Put in place a data backup and recovery plan for all critical information, and conduct regular test backups to limit the impact of a data or system loss and streamline the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
• Enlist application whitelisting to help mitigate malicious software and unapproved programs from running. This allows only programs specified to run and blocks all others, including malicious software.
• Keep all operating systems and software up-to-date with the latest security patches, greatly reducing the number of exploitable entry points for attackers into your system.
• Keep anti-virus software current and scan all software downloaded from the internet before it downloads.
• Limit users’ permissions to install and run unwanted software applications, applying the principle of least privilege to all systems and services.
• Disable macros from email attachments. When users open attachments and enable macros, embedded code then executes the malware on the machine.
• Avoid clicking on unsolicited links in emails (see more on that here).

Our team offers these additional recommendations:

• Remember the human element. Some of the attacks by Petya were entirely preventable. The ransomware succeeded at infecting some computers because users failed to install a months-old patch—in other words, because of human negligence and a lack of awareness. Change user behavior by introducing a training program based on employees’ organizational roles, implementing cyber hygiene best practices (i.e., not opening suspicious emails or attachments) and regularly testing the program’s effectiveness.
• Implement a risk-based, threat-driven patch management program. Patch management should be a dynamic, risk-based process rather than a check-the-box compliance approach. Organizations must be able to identify system vulnerabilities and relevant patches in a timely manner, understand the degree of risk the vulnerability presents, and work with asset owners to deploy the update.
• Monitor, monitor, monitor. To be cyber resilient, organizations need to have threat monitoring and analytics tools to detect an attack, as well as the investigative and digital forensics capabilities to understand what went wrong and the scope of the damage. The sooner a cyberattack is detected, the sooner incident response and mitigation strategies can be put into effect. When it comes to ransomware, early detection can make all the difference in salvaging critical data and information systems.
• Develop and test an incident response plan. It’s crucial that organizations are prepared to respond quickly to mitigate the impact of a cyberattack. Along with containing and removing the threat, the incident response plan should also consider breach notification protocols for all stakeholders and proactive steps to minimize damage to brand reputation.

For more information on how to protect your business, please contact your Smith and Howard professional at 404-874-6244 or fill out the contact form below.