Global Cyberattack Known as Petya Marks Second Attack Reported to Use ‘Shadow Brokers’ Toolkit
July 7, 2017
We shouldn’t have been surprised: WannaCry signaled more attacks were coming.
On June 27, a little more than a month after WannaCry became the first program to use purportedly leaked NSA hacking tools to launch ransomware attacks across the globe, another attack using malware followed its lead.
Many organizations hit were vulnerable because of the same exploit that allowed WannaCry to propagate.
Initial reports say the attack—launched using a potentially new strain of the Petya virus—infected more than 12,500 machines and spread to at least 64 countries, beginning in the Ukraine the night before its independence holiday. While organizations in countries including the U.K., Belgium, Brazil, Germany, France, Italy, Denmark, the Netherlands, India, Australia and the U.S. were also targets, the Ukraine bore a large proportion of the attack, and on June 28, cyber experts began questioning whether the attack’s motive was indeed profit or in fact destruction.
On the day of the attack, the actors behind Petya demanded $300 in Bitcoin from users to deliver the key to decrypt the ransomed data, payable to one Bitcoin account. As of the following morning, the unified Bitcoin account recorded 36 transactions totaling about $9,000.
But the only form of communication—and route to potentially recovering files absent backups—was shut down by the email provider shortly after news of the attack spread, preventing any future payments—or decryption keys—from being issued.
Although the Ukrainian government said it had the situation under control by evening, the country saw critical infrastructure in its energy, transportation and utilities sectors impacted, including its Chernobyl radiation monitoring facility.
Other organizations affected included Danish shipping company Maersk and Russian energy giant Rosneft.
What is Petya?
Like WannaCry, Petya is a type of malicious software that infects a computer and restricts user access to the machine.
Petya’s attack vectors include the EternalBlue exploit that reaches computers through vulnerabilities in Microsoft’s Server Message Block (SMB), known as MS17-010 SMB. It also has other attack vectors: an exploit known as EternalRomance, which targets Windows XP to 2009 systems, as well as an attack on the update to M.E.Doc, a third-party Ukrainian software product.
Unlike typical ransomware, in addition to locking individual files, Petya also cripples the entire device by overwriting and encrypting the machine’s master boot record (MBR), according to Symantec.
While Petya has characteristics that resemble WannaCry, it looks to be more dangerous for two reasons: First, if the infected machine has administrator access to the larger network, Petya has the ability to corrupt the organization’s entire network, reported Forbes. This enables the virus to spread at a much quicker rate and inflict greater damage than WannaCry. According to some media reports, the virus also seems to have been designed as a “wiper” which means this variant is more dangerous in that it may have the capability to destroy data, rather than true ransomware which is designed to prevent access to data. As a result, it appears to be incapable of decrypting impacted machines in certain instances, even if the ransom is paid.
Second, a kill switch was discovered relatively quickly following the WannaCry attack, leading experts to believe it was the work of amateur attackers. On the other hand, a professional—and more rehearsed—group looks to be behind Petya, as it appears to lack the bugs found in WannaCry.
As of June 29, the actors—and motive—behind the attack remained unclear, but the incident underlines the importance of cyber vigilance.
How can organizations defend themselves?
Initial reports showed that as with WannaCry, organizations’ failure to apply the Microsoft patch for the MS17-010 vulnerability dated March 14, 2017 enabled Petya to infiltrate victims’ systems in many cases. But Petya has at least two other attack vectors outside of the EternalBlue exploit—underscoring that the Microsoft patch is not a cure-all.
“The new ransomware has worm capabilities, which allows it to move laterally across infected networks,” Microsoft said in a June 28 statement. “Based on our investigation, this new ransomware strain shares similar codes and is a new variant of [the Petya family]. This new strain of ransomware, however, is more sophisticated.”
Organizations that have not yet applied the MS17-010 patch should still do so immediately. Those using unsupported Windows operating systems including Windows XP, Windows 8 and Windows Server 2003 should follow customer guidance from Microsoft.
Until organizations can apply the patch, Microsoft issued the following workarounds to reduce the attack surface:
Microsoft also released cloud-delivered protection updates and made updates to its signature definition packages shortly after the June 27 attack. The updates were delivered to all Microsoft free antimalware products, including Windows Defender Antivirus and Microsoft Security Essentials. Organizations can download the latest version of these files manually here and should review Microsoft’s full guidance on the attack here.
Victims of the ransomware who have not yet paid the attackers should contact their local FBI Office Cyber Task Force or the FBI’s 24/7 National Cyber Watch Center (CyWatch) at (855) 292-3937 before doing so.
Additionally, the United States Computer Emergency Readiness Team (US-CERT) recommends the following risk mitigation measures:
Our team offers these additional recommendations:
For more information on how to protect your business, please contact your Smith & Howard professional at 404-874-6244 or fill out the contact form below.
If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.CONTACT AN ADVISOR
Subscribe to our newsletters to get inside access to timely news, trends and insights from Smith + Howard.