I’m guessing quite a few people did back on May 13, 2017, a Saturday, when a unique new ransomware, dubbed WannaCry, swept the world, targeting computer systems in almost 100 countries. This malicious software, stolen from the National Security Agency, was distributed via email to many large global companies and government agencies, taking over the computers and encrypting the data files. The ransom demand was for $300 or more via Bitcoin (anonymous online currency), to receive the encryption key needed to unlock the files.
Ransomware of this nature leaves many corporations in a bit of quandary. Should they pay the ransom and get their files back? Or say goodbye to their data? There’s an inherent risk in paying. The targeted organization would have to conduct a business transaction with cyber criminals, and there isn’t customer service department to complain to if the encryption key doesn’t work. It does appear from most reports that cyber criminals do indeed honor the transaction – simply because if they didn’t, word would get around and everybody would simply stop paying.
Organizations are left with little choice when they need to continue operating and don’t have recent backups that can be used. If the files are necessary then the ransom is likely to be paid, allowing hospitals and manufacturers to continue with their work of saving lives and creating goods via their computer systems. Indeed, MIT Technology Review is reporting that companies are now “stockpiling Bitcoin” in the eventuality that they would need to pay a ransom and quickly regain access to their files.
The countries hardest hit by WannaCry appears to have been Russia, India and Taiwan, though the spread of the infection was crippled when a researcher in Britain discovered the un-registered domain “kill switch” of the malware infection and registered it himself. This action minimized impact on the Western half of the globe.
Citation: Krebs on Security
Fast forward to June 27, 2017, and the world was once again hit with a massive ransomware attack. This time the strain is called Petya, and it is using the same Microsoft Windows bug that was exploited by WannaCry.
According to early reports, the Ukraine was the hardest hit by Petya, including government offices, banks, and power companies have all announced they were affected by the attack. Other organizations in Denmark and Russia reported they were dealing with the cyber-attack, and reports of infections have come in across Asia and the United States as well.
Per cybercrime researcher, Brian Krebs:
Security firm Symantec confirmed that Petya uses the “” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agencyand in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.
Microsoft for the Eternal Blue exploit in March (), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.
Organizations who have not updated with the March Microsoft patch should do so now.
Affected companies should be mindful that the Petya malware appears to be more than just ransomware. Researchers have reported that Petya has also been designed to pull passwords and credential data from Windows computers on the infected network.
In the Brian Krebs article Nicholas Weaver, a security researcher at the International Computer Science Institute, indicates that Petya appears to have been engineered to be destructive while masquerading as a ransomware strain. He reports that Petya’s payment structure is not typical ransomware behavior. It relies on communication via one email address while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor. I think this certainly indicates we haven’t seen the last of Petya or its full repercussions.
What can you do?
First, and most importantly, don’t delay your security patches. Cyber criminals are preying on organizations who delay patches, creating vulnerabilities they can exploit.
Second, back up often and thoroughly. Don’t just back up crucial files. Imagine all your files being inaccessible – what would you need to re-establish operations?
Ideally companies would not need to pay the ransom because the backup files saved the day. Paying the ransom only encourages the ransomware problem.
Third, malware infections such as WannaCry and Petya are generally spread via email. All it takes is one employee opening up the malicious attachment and the entire organization’s network can be affected. Employee cyber security and email handling training and awareness is essential to protecting your organization at the inception of the attack.