SMARTER BETTER STRONGER
Second Global Ransomware Attack
Businesses and government systems have been hit in a global ransomware attack. The malware, a variation of the Petya ransomware which some analysts are calling ‘Goldeneye or NotPetya, has so far encrypted files and hard drives on 2,000 machines. High profile victims Danish shipping giant Maersk, US pharmaceutical company Merck international advertising conglomerate WPP, global law firm DLA Piper, and multiple private and public institutions in Ukraine and Russia. This is the second Global ransomware attack in the the last two months. It follows the WannaCry outbreak in May that affected more than 150 organisations, including the UK’s National Health Service, German railways and Spanish telephone firm Telephonica.
How are victims infected?
These attacks affect only computers running windows operating systems and there are two initial attack vectors; phishing emails containing Microsoft Word documents laced with malware, and a compromised software update from a Ukrainian financial software firm, MeDoc. The malware leverages several tools to move through a network and infected machines including a modified version of the NSA’s stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency’s EternalRomance SMB exploit. It propagates inside a network by stealing administrative credentials to instruct other PC’s to run the malware as well. Like WannaCry, it has spread quickly and hit high-profile targets including Ukrainian critical infrastructure providers. While WannaCry’s many design flaws caused it to falter after a few days, this latest ransomware threat has evolved and it does not have the kill-switch that allowed researchers to neuter WannaCry.
What are he motivations behind the attack?
The attributes of the latest campaign narrow the type of actors motivated to instigate an attack of this type. While the original variant , Petya was a money making criminal enterprise, most of the mechanisms put in place to collect the ransom are no longer available. Instead, it is designed to spread fast and cause damage, with plausible deniability of ransomware. The attack had a targeted approach to infection suggesting that this campaign is possible a proof of concept operation against a variety of industries and platforms. Alternatively, it could be a diversionary tactic to facilitate the pre-positioning of additional malware onto systems by harvesting credentials to gain lateral movement within a network. It is likely, given the success of the last two campaigns , that there will be more ransomware attacks to follow.
Judging by how many companies ignored the EternalBlue patch, even after the WannaCry threat, the attack is likely to persist for some time. This is particularly acute given the fact there are no decryption keys to restore PC’s with infected file-systems, no way to pay the ransom and the diversity of delivery options means that no single patch can necessarily provide complete protection against it. Notwithstanding this, you should still install the relevant patches as a matter of urgency.
Further mitigation advice includes
From novice to expert, is your cyber knowledge up to date?
We offer a wide range of technical and non technical cyber courses taught by industry leading cyber specialists.
If you need course advice or advice how to protect your Superyacht please call +44(0)20178872699 or email email@example.com