New incarnations of ransomware are spreading across Europe, with variants such as Petya, NotPetya and the rather more disturbing GoldenEye, now threatening our entire digital world.
To paraphrase ex-US secretary of defense Donald Rumsfeld, our response to ransomware rests on known knowns, known unknowns and unknown unknowns.
The known knowns are that Petya ransomware has been spotted predominantly in Ukraine but security researchers have seen it spread to Spain, Germany, Israel, the UK, Netherlands and the US. In May, Matt Burgess reported in Wired that the WannaCry ransomware virus had quickly spread around the world.
Another sequence of malicious code, dubbed Petya, encrypts computers and paralyses them until you pay the rogue coders to get the antidote that unlocks the operating system. Christiaan Beek, a lead scientist and principal engineer at McAfee, said everyone is being targeted, from banks to bus stations, power grids to petroleum giants. The entire infrastructure could be paralysed. Petya was “designed for speed and is spreading around like crazy” - according to Kaspersky Lab's global research director Costin Raiu.
A Nato cybersecurity group said Petya was ‘probably’ created by a ‘state actor’ - a known unknown. “Sabotage the offending state’s government IT systems,” was the suggestion on June 28th by Nato's secretary general. A cyber operation could be launched by the coalition of countries under Article 5 of the North Atlantic Treaty.
How did this happen? Well, that’s a known known. Some claim the initial attack vector was a compromised update of the M.E. Doc accounting software utility that all breached companies were using but users of other systems have confirmed breaches. In a Facebook post on the company’s page (translated from Ukrainian), the vendor denies the allegations.
BitDefender’s research indicates that not all infections of GoldenEye have been triggered by the compromised update of the MeDOC accounting software, but it can confirm the MeDOC update as an infection vector. This makes Ukraine the “patient zero” from where the infection spread across VPN networks to headquarters or satellite offices.
Another known known is that Petya, and other ransomware, is using the EternalBlue vulnerability that is believed to have been developed by the US National Security Agency.
Petya introduced a new twist. Instead of encrypting files on disk, it locks the entire disk, rendering it useless, according to F-Secure. By faking a certificate derived from Microsoft's Sysinternal tools, it will encrypt the filesystem’s master file table (MFT) and disguise files to make them invisible to the operating system.
So, why do they do it? That’s a known unknown, reports Bogdan Botezatu, senior e-threat analyst at BitDefender. There is mounting evidence that ransomware campaigns might not have targeted financial gains but rather data destruction, said Botezatu.
The choice of a regular, non-bulletproof e-mail service provider to act as a communication channel would be a bad business decision, given its “total lack of usability in the payment confirmation,” added Botezatu. Manually typing long, mixed case personal installation keys and wallets is a process highly prone to typos.
How to defend against it? We can learn from history, says independent security analyst Graham Cluley, on his eponymous security news site.
A more immediate option, for the victims who need to resume business, would be to pay the requested $300 bitcoin fee to decrypt the locked systems. The bitcoin wallet listed in the demands has received multiple payments, with £5,800 being collected until email client Posteo, which hosts the account receiving these bitcoin payments, closed the address listed in the ransom note. So it’s not an option but should it be? “Emphatically no,” said Cluley. “I really hope everyone learnt a lesson from the ransomware outbreak and put some secure backup systems in place,” said Cluley.
Still, the unknowns are not damaging the IT industry and companies are not being put off, says Rene Millman in CloudPro.
In fact, four out of five firms will adopt the cloud, despite the risk of hacking, according to a new survey.
A poll of 500 senior executives in the UK by Techmarketview found that 80%, though concerned about security, were not put off by ransomware and 37% have recently launched their first cloud projects. Three-quarters said governments should do more to protect businesses from a cyber-attack.
“We all need guidance on being protected, properly patched and secured,” said Jon Wrennall, CTO at Advanced.
For help or advice with Cyber Security, contact our Solutions Team on 0800 408 0555 or email@example.com
© Copyright 2017, Misco UK Limited, registered in Scotland,
Registered office address: Caledonian Exchange, 19a Canning Street, Edinburgh, EH3 8HE.
Registered number: SC114143.
VAT number: 494175615.
MISCO is a registered trademark of HUK 78 LIMITED. All others trademarks and copyrights mentioned herein are the property of their respective owners.
All prices mentioned (pounds) exclude postage and packaging. All orders comply to Misco terms and conditions.