On Tuesday, 27th June 2017, news started to emerge from Ukraine that a major cyber-attack had taken hold of systems, including the Ukrainian government’s web services. Supermarkets, public transport, and the Ukrainian central bank all ground to a halt as screens flickered in unison, displaying an email address and a demand for payment.
As the day progressed, reports came in of similar scenarios being faced in different parts of the world – UK advertising firm WPP were affected, as well as the Spanish offices of US law firm DLA Piper and Danish shipping firm Maersk’s Rotterdam operations. At least one hospital in the United States is thought to have been hit by the attack at the time of writing.
What is the attack? Is this WannaCry all over again?
In its simplest form, the attacks seen globally on the 27th appear to be ransomware. We’ve covered the risks of ransomware previously, the Analogies Project. While details are still emerging, early reports suggest that the malicious code shares some characteristics with Petya, a strain of ransomware which spread almost a year ago.
Reports from affected organisations and individuals affected by the attack say that affected machines rendered useless, displaying a ransom note asking for $300 in Bitcoin payment for files to be restored.
Analysis of the malware suggests that, while the effects are not unlike those in the aftermath of the recent WannaCry outbreak that caused major disruption at NHS hospitals by encrypting files on machines, this latest attack modifies the boot records of the machines it infects, leaving them unable to even start up – a similar method to Petya.
In addition, the ransomware includes elements from GoldenEye ransomware – a more potent evolution of Petya which attacks boot records and encrypts files. Oh dear.
Commissum’s Jay George weighed in with his analysis of the situation: “With WannaCry the attackers made use of an exploit called EternalBlue –an exploit stolen from the NSA’s raft of hacking tools and released by the Shadow Brokers earlier in the year, which affects Windows’ Server Message Block SMB protocol. The entry point of this new strain remains to be discovered, though the consensus that’s forming points towards a piece of Ukrainian tax filing software as the root cause of the infection.”
This was despite Windows releasing a critical security patch for the underlying vulnerability back in March, which was eventually extended to older platforms no longer receiving regular support and updates. “Patches are only effective if they’re applied,” said Boglarka Ronto, Head of Commissum’s Testing Services. “Time and again we carry out tests for clients and they’ve failed to roll out routine patches.”
What can be done?
In the case of WannaCry, a security researcher discovered a ‘kill switch’ built in to the malware’s code. When this domain was registered, the malware shut down before executing its payload, halting the spread of its nefarious effects.
“So far, no permanent fix has been found for this particular strain – meaning machines can still carry and spread the ransomware even after the fix has been applied.”
So far, no such kill switch has been discovered for this attack, dubbed ‘NotPetya’ for its affinity with the older strain. Researchers have discovered what’s being described as a ‘vaccine’ for the virus – security news site Bleeping Computer published details of how creating a specific read-only file on machines appears to prevent the ransomware taking hold.
“This is a short-term preventative measure,” Jay elaborated on the fix. “The steps outlined in the Bleeping Computer article need to be carried out on machines individually. So far, no permanent fix has been found for this particular strain – meaning machines can still carry and spread the ransomware even after the fix has been applied.”
In the wake of the attack, some have attempted to pay the ransom to restore their critical files – Infosecurity News reports on their site that at least 40 payments have been made to the Bitcoin wallet associated with the attack.
However, victims looking to gain urgent access to their encrypted files who attempt to pay the fee are now unable to contact the attackers – the email hosting company used by the hacker, Posteo, has shut down the account. It said in post on its site: “We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.”
Paying ransoms in this sort of scenario is generally advised against unless restoration of the files is critical in the short term. When people pay up, the ransomware business model is legitimised for hackers, attracting more to the industry and encouraging the creation of new and diverse strains of ransomware, by hackers looking for financial gain or simply notoriety.
Fact of life
The increasing frequency of attacks on this scale should be a wakeup call for organisations to prepare themselves for the next. Luckily, there are steps that can be taken, says Jay: “Regular backups, combined with a strong regime of patching and layered antivirus software will help you prepare for such attacks – different AV vendors on the gateway as is on endpoints will help, while ensuring regular and efficient backups will limit the damage an incident such as this will have on your organisation.”
We can help
Commissum provide many solutions to help organisations protect themselves against cyber threats like Ransomware. We can conduct cybersecurity audits and health checks to make sure your procedures and processes are as effective as they possibly can be, and provide advice on how to make improvements for better security.
Our CREST penetration testing services give you insight into how well your current controls would withstand an attack scenario, providing a clear picture of what to focus on for improvements.
Our managed SIEM service analyses threats as they are discovered, and can alert you to attacks like this one before the malware has had a chance to unleash its payload by scanning your network for Indicators of Compromise (IOCs).
We can also help you put together an incident response plan that’s tried and tested – meaning you’re equipped to respond quickly and effectively should an attack take hold.