Cyber Threat Alert

SMARTER BETTER STRONGER

Second Global Ransomware Attack

Businesses and government systems have been hit in a global ransomware attack. The malware, a variation of the Petya ransomware which some analysts are calling ‘Goldeneye or NotPetya, has so far encrypted files and hard drives on 2,000 machines. High profile victims Danish shipping giant Maersk, US pharmaceutical company Merck international advertising conglomerate WPP, global law firm DLA Piper, and multiple private and public institutions in Ukraine and Russia. This is the second Global ransomware attack in the the last two months. It follows the WannaCry outbreak in May that affected more than 150 organisations, including the UK’s National Health Service, German railways and Spanish telephone firm Telephonica.

How are victims infected?

These attacks affect only computers running windows operating systems and there are two initial attack vectors; phishing emails containing Microsoft Word documents laced with malware, and a compromised software update from a Ukrainian financial software firm, MeDoc. The malware leverages several tools to move through a network and infected machines including a modified version of the NSA’s stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency’s EternalRomance SMB exploit. It propagates inside a network by stealing administrative credentials to instruct other PC’s to run the malware as well. Like WannaCry, it has spread quickly and hit high-profile targets including Ukrainian critical infrastructure providers. While WannaCry’s many design flaws caused it to falter after a few days, this latest ransomware threat has evolved and it does not have the kill-switch that allowed researchers to neuter WannaCry.

What are he motivations behind the attack?

The attributes of the latest campaign narrow the type of actors motivated to instigate an attack of this type. While the original variant , Petya was a money making criminal enterprise, most of the mechanisms put in place to collect the ransom are no longer available. Instead, it is designed to spread fast and cause damage, with plausible deniability of ransomware. The attack had a targeted approach to infection suggesting that this campaign is possible a proof of concept operation against a variety of industries and platforms. Alternatively, it could be a diversionary tactic to facilitate the pre-positioning of additional malware onto systems by harvesting credentials to gain lateral movement within a network. It is likely, given the success of the last two campaigns , that there will be more ransomware attacks to follow.

What now?

Judging by  how many companies ignored the EternalBlue patch, even after the WannaCry threat, the attack is likely to persist for some time. This is particularly acute given the fact there are no decryption keys to restore PC’s with infected file-systems, no way to  pay the ransom and the diversity of delivery options means that no single patch can necessarily provide complete protection against it. Notwithstanding this, you should still install the relevant patches as a matter of urgency.

Further mitigation advice includes

  • The ransomware runs a boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “check disk” message, you can avoid having your files encrypted by quickly powering down;
  • Administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\WindowsPerfc.dat from running. Administrators can use Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges;
  • Ensure you are suspicious of any unexpected documents you receive via email. No matter how enticing an attachment or embedded link may be, always verify the source before taking any further action;
  • Ensure you( and your company have a robust back up regime so that important files are backed-up. This includes ensuring that any external storage devices are not always connected to your network to prevent any infections from spreading;
  • Consider awareness campaigns and staff training to ensure your employees are aware of the risks;
  • Additionally, make sure that you have an effective anti virus solution and that you conduct regular penetration tests on your systems;

From novice to expert, is your cyber knowledge up to date?

We offer a wide range of technical and non technical cyber courses taught by industry leading cyber specialists.

 

If you need course advice or advice how to protect your Superyacht please call +44(0)20178872699 or email customerservices@halcyonyachtsecurity.com