Dealing with the Global Petya / GoldenEye Ransomware Outbreak

On Tuesday, 27th June 2017, news started to emerge from Ukraine that a major cyber-attack had taken hold of systems, including the Ukrainian government’s web services. Supermarkets, public transport, and the Ukrainian central bank all ground to a halt as screens flickered in unison, displaying an email address and a demand for payment.

As the day progressed, reports came in of similar scenarios being faced in different parts of the world – UK advertising firm WPP were affected, as well as the Spanish offices of US law firm DLA Piper and Danish shipping firm Maersk’s Rotterdam operations. At least one hospital in the United States is thought to have been hit by the attack at the time of writing.

What is the attack? Is this WannaCry all over again?

In its simplest form, the attacks seen globally on the 27th appear to be ransomware. We’ve covered the risks of ransomware previously,

Firms around the globe are reporting a major cyber-attack https://t.co/lysGDBHwXd pic.twitter.com/LeXFYGOD0z
— BBC Breaking News (@BBCBreaking) June 27, 2017

In addition, the ransomware includes elements from GoldenEye ransomware – a more potent evolution of Petya which attacks boot records and encrypts files. Oh dear.

Commissum’s Jay George weighed in with his analysis of the situation: “With WannaCry the attackers made use of an exploit called EternalBlue –an exploit stolen from the NSA’s raft of hacking tools and released by the Shadow Brokers earlier in the year, which affects Windows’ Server Message Block SMB protocol. The entry point of this new strain remains to be discovered, though the consensus that’s forming points towards a piece of Ukrainian tax filing software as the root cause of the infection.”

This was despite Windows releasing a critical security patch for the underlying vulnerability back in March, which was eventually extended to older platforms no longer receiving regular support and updates. “Patches are only effective if they’re applied,” said Boglarka Ronto, Head of Commissum’s Testing Services. “Time and again we carry out tests for clients and they’ve failed to roll out routine patches.”

“So far, no permanent fix has been found for this particular strain – meaning machines can still carry and spread the ransomware even after the fix has been applied.”

-Jay George, COO and Head of Consulting at Commissum