For the second time in as many months we are seeing a large-scale cyber-attack campaign which is impacting businesses globally. Leaving the finer technical details aside, at first it appeared similar to the WannaCry attack widely reported in May, however it is now looking like there may be different motives behind the attack.
Ransomware has been around for decades, only gaining prominence in the last 5 or so years as its impact has been felt by more victims globally. It’s a relatively straight-forward form of extortion in that a computer typically becomes infected due to the user opening a malicious attachment in an email or in this case, visiting a website which has been compromised and loaded with the malware. The malware proceeds to disable the computer and/or encrypt the users data (and any data on other computers which can be legitimately accessed by the user) and asks the user for a ransom payment in Bitcoin to give them access to their data again.
As with the WannaCry malware, the Petya malware (also known as NotPetya or GoldenEye) also has the ability to automatically spread to computers within reach, without requiring any interaction from legitimate users. In this way it is more like self-propagating malware (commonly known as ‘worms’), which makes it a far bigger issue for companies and other organisations who rely on large networks of interconnected systems (as opposed to personal/home users whose networks are smaller and who can patch more easily).
In line with the majority of malware, the Peyta malware exploits at least one already known vulnerability (for which a patch has been released), but also combines a variety of other techniques to propagate itself and infect other machines within targeted networks. So, while it would be very helpful for organisations to have applied the patch released by Microsoft back in March, it would not necessarily have stopped this attack.
Initial intelligence suggested that this was yet another ransomware attack, where the intent is simply to make relatively small amounts of money ($300-900) from a large number of victims. However we have since learned that the malware used in this attack was not actually ransomware but more akin to a wiper malware that permanently encrypts all data on the infected systems. In fact, the malware appears to be purposefully designed to not include the capabilities to decrypt and recover the encrypted data. The attackers also appeared to be using a single Bitcoin wallet (similar to a bank account) to receive the ransom monies and a single email address to communicate with victims. This is strange for ransomware in that it’s very easy to shut them both down (which they were), thus depriving the attackers from reaping the rewards of their crimes. While it’s unlikely that we will ever uncover the true identity of the attackers or their motives, a number of plausible explanations exist:
Given the actual impact of the malware was to destroy computers and data, with no prospect of returning access to the data even if the ransom was paid, it’s highly likely this attack was a targeted ‘Wiper’ malware, designed to simply destroy systems and data (using the ransom note to distract attention from this real intent). Its initial impact was organisations in Ukraine, likely the primary target. However, as with any self-propagating malware, not even the authors can control where it ends up, leaving collateral damage in numerous other countries.
The advice on how to protect yourself remains the same as ever:
Although the motives appear different, organisations impacted by this or the previous WannaCry attack should take it as a final wake-up call that cyber-attackers are not going away and basic cybersecurity measures can significantly reduce the risks of becoming a victim in the first place. Focus on educating your users to spot and prevent attacks (by not clicking where they shouldn’t) whilst also patching known vulnerabilities and making changes to how systems are configured in order to defend against the various techniques this current attack leverages. If this fails, ensuring you have working backups is critical to survival.
We are still in the early stages of learning about this attack, particularly the finer technical details of how it is executed and therefore how best to respond. EY will continue to provide detailed technical updates as our research teams uncover further details of the attack.
Get in touch with me, Hugh Callaghan or your usual EY contact for more information on how to protect your organisation from cyber security attacks.