WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

Share this…

Tuesday saw a second major cyberattack in as many months, affecting several countries and dozens of major companies — and that’s just the start.

Some of the dust has settled throughout the day. Here’s what you need to know, now.

1. THE SAME ATTACK — BUT DIFFERENT

If you thought this was similar to last month’s WannaCry ransomware attack, you’d be right.

Just like last time, the unknown attacker used a backdoor exploit developed by the National Security Agency, EternalBlue, which leaked some months ago. The attacker installed the backdoor on thousands of computers, later used as a delivery vehicle for a ransomware payload.

Last month, it was the WannaCrypt ransomware, but this time, security firms Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.

Many of the initial reports of organizations affected came from Ukraine, including banks, energy companies and even Kiev’s main airport. It’s spread to Denmark, Russia, the UK, and the US. At least one hospital has been hit by the ransomware.

So far, Kaspersky said there had been more than 2,000 separate attacks in the six hours after the initial infection, while the UK’s national cybersecurity declared a “global ransomware incident.”

2. NOBODY KNOWS WHO’S BEHIND THE ATTACK. BEWARE THE ‘NATION STATE’ RHETORIC UNTIL THERE’S EVIDENCE

It’s easy to want to assume that this could be a nation state attack, given that blame is usually pointed at Russia for major cyberattacks or political meddling. In last month’s cyberattack, North Korea was a key suspect.

But there’s no evidence at this time to suggest a government is behind the attack.

The problem is that because hackers published the set of NSA tools used to carry out both last month’s and today’s attack, anyone can use them — from a nation state to a lone hacker.

Given that many are still poring over last month’s attack and still have yet to come up with any definitive answers as to who was behind it and why goes to show that attribution is extremely difficult, if not impossible.

Read more: Who’s to blame for that cyberattack? Here’s why nobody’s really sure | Congress introduces bill to stop US from stockpiling cyber-weapons | NSA’s hacking tools have leaked

3. SOME INFECTIONS ARE TRACED BACK TO ONE UKRAINIAN FINANCIAL SOFTWARE COMPANY

One security firm appears to have found a connection between a Ukrainian financial software firm and the possible “ground zero” of the attack.

Talos Intelligence said in a preliminary analysis that “it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc.”

That appears to have been confirmed by the company. “Our server made a virus attack. We apologize for the inconvenience!” said the note. (MeDoc later denied the claim in a Facebook post.)

“Essentially what happened is MeDoc was hacked and they pushed out the malware via the update feature,” tweeted MalwareTech, a security researcher credited for finding and activating the kill-switch in the WannaCry attack.

Talos isn’t sure how MeDoc was hacked. It is investigating the possibility that an attacker emailed a malicious attachment to an employee on MeDoc’s network, but said it can’t yet be confirmed.

If proven to be true, that would lend more credence to the possibility that a nation state attacker, or at least a very advanced hacker, launched the attack by hacking into MeDoc’s servers.

4. ONE POINT OF ENTRY CAN DESTROY A NETWORK — PATCH EVERYTHING

If you haven’t patched your systems recently, now might be a good time.

According to analysis by several security experts, all it takes is one point of entry to infect an entire network. That means if one computer out of a hundred hasn’t patched the EternalBlue exploit, released by Microsoft earlier this year, it can laterally spread across an entire network.

In other words, all boats need to be patched as one wave can tip them all over.

Locally networked or enterprise users are at the greatest risk. So far, larger companies appear to be the most affected, including US pharmaceutical giant Merck, Russian petroleum company Rosneft, British marketing giant WPP, and Danish transport and energy firm Maersk,

The good news is that most homes with a single Windows computer are likely automatically patched and can’t be infected.

5. YES, THIS FLAW WAS PATCHED ALREADY BUT THERE’S ALWAYS ONE…

Microsoft released several security patches last month in the immediate wake of the WannaCry cyberattack, including for older versions of Windows that it doesn’t support anymore, in an effort to stop the malware from spreading.

The vast majority of home and business networks running the latest patches and fixes are safe from today’s attack.

But clearly, not everyone installed the patches.

Many computers and networks that run critical infrastructure — like train stations and airports — were directly affected by today’s ransomware attack because they are connected to networks that are vulnerable and aren’t patched. Many would prefer not to install patches immediately because they can, on occasion, cause more harm than good. But also many don’t want the downtime of restarting a computer — especially in 24-hour always-on environments, like transport hubs.

6: DECRYPTION IMPOSSIBLE?

And one last thing.

The email address displayed on the ransomware message has been blocked by the email provider, meaning nobody can get the decryption keys to unlock their computers.

That means anyone who paid the ransom — about $300 worth of bitcoin to the anonymous wallet — and confirmed their payment to the email listed on the ransomware warning message wasted their money. (At the time of writing, the bitcoin wallet had about $6,000, suggesting at least 20 people had paid the ransom.)

Posteo, an email provider used by the ransomware attacker, said in a blog post that it “blocked the account straight away” around two hours into the attack.

“We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases,” said the statement.

Source:https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/