Petya ransomware attack – what you need to know
All organisations face digital disruption … but Petya is digital disruption you don’t want to experience. Don’t be caught out.
On 27 June, a new wave of ransomware, known as Petya or Petrwrap, hit organisations across Russia, Ukraine, Spain, France, the UK, India, and Europe.
Victims are instructed to pay USD 300 in bitcoins to recover their files.
What is Petya and how does it work?
Petya is a highly virulent, self-replicating ransomware, capable of encrypting all the files on laptops, servers, and network drives, and spreading autonomously throughout organisations. It uses a similar exploit propagation technique to the WannaCry ransomware, and uses the same mode of attack ─ phishing emails with Word and Excel documents attached. This delivery method is leveraged to install malicious files. Like WannaCry, Petya targets vulnerabilities that are addressed by Microsoft’s security patch MS17-010 and other Microsoft Office security patches that have been available since April this year.
Dimension Data identified this latest spate of incidents through our Global Threat Intelligence capability in NTT Security. The NTT Security Global Threat Intelligence Centre protects and informs clients via focused security threat research into the global threat landscape, providing actionable threat intelligence, along with enhanced threat detection and mitigation.
What’s different about it?
Petya works very differently from other ransomware as it doesn’t encrypt files on a targeted system, but instead reboots victims’ computers and encrypts the hard drive’s master file table. This renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya replaces the system’s MBR with its own malicious code which displays the ransom note and leaves computers unable to reboot. At this time there’s no functional recovery process available, which means that Petya presents an increased risk when compared to other ransomware.
The malware also has enhanced capabilities which allow it to propagate laterally across the network. It includes PsExec, a command-line tool, to run processes on remote systems, as well as Windows Management Instrumentation Command-line (WMIC), a scripting interface into Windows systems. Unlike WannaCry, Petya includes a modified mimikatz credential dumping tool to extract user credentials from memory.
More recent analysis has revealed that Petya is simply malware masquerading as ransomware with the more nefarious intention of damaging and destroying target systems. This has led researchers to rename the malware as NotPetya or GoldenEye, to describe its unique wiping capabilities. NotPetya attacks are therefore not financially motivated ─ rather, the malware is used as a cyber weapon to cause malicious damage through the destruction of data. It hasn’t yet been causally linked to any nation-state or state-sponsored group.
What’s the impact?
Any system infected with Petya or NotPetya will be encrypted and organisations will lose access to the system and all files previously stored on it. Naturally, this causes a significant loss to the availability of sensitive information and internal systems, which is likely to affect daily operations.
Who’s being targeted?
The Petya ransomware has already infected Russian state-owned oil giant Rosneft, and Ukrainian state electricity suppliers, Kyivenergo and Ukrenergo, Several banks, including the National Bank of Ukraine and Oschadbank, have also confirmed that they’ve been hit. The hack has since spread to the UK, with advertising firm WPP being affected. Several Danish and Spanish multinationals have also been paralysed by the attack.
How can you protect your organisation?
Although no one is immune to cyber threats, many organisations are continuing to neglect basic cyber hygiene standards. Improved security practices can limit the scope, impact, and effectiveness of widespread and agile ransomware distribution. Organisations must get on the front foot to understand their risks and have a clear strategy to manage them.
Encourage your employees to be suspicious of the e-mails they receive, particularly those that ask them to open attached documents or click on web links. If they haven’t done so already, IT teams should consider a holistic and layered approach to secure their infrastructure:
- Deploy the MS17-010 and CVE-2017-0199 patches.
- Disable SMBv1.0
- Back up data and ensure it’s kept offline or air-gapped.
- Conduct security education and awareness training.
- Restrict administrative privileges.
- Enforce network segmentation to limit network propagation.
- Deploy end-point protection controls.
- Implement email and web filtering to minimise exposure.
- Update incident response playbooks.
- Detect/blacklist all incoming or outgoing emails from email@example.com
We also urge you to conduct vulnerability assessments on your assets to identify vulnerable systems. This will allow you to prioritise patching and other remediation efforts.
For more insights and analysis of the global cyber threat landscape, download the Executive’s Guide to the 2017 Global Threat Intelligence Report or listen to our webinar here.