7 Important Facts About the Petya Ransomware Attack
It was only in May of 2017 that major corporations around the world got hit with the WannaCry ransomware attack. The malware infected thousands of computers, demanding for $300 bitcoins to restore access. Although security patches were released and the attack was contained, today, as of June 28th, two major corporations in the U.S. confirmed through Twitter of their computer networks being compromised. Merck, the largest US drug manufacturer, and DLA Piper, a multinational law firm with 20 offices across the nation reported of being infected by the ransomware now dubbed as Petya.
These attacks surfaced when a group of hackers calling themselves as ShadowBrokers leaked an exploit called EternalBlue, which is believed to have been developed by the U.S. National Security Agency as a cyber weapon. The leak was released in April of 2017 and by May 2017, financial industries, engineering, manufacturing, automobile etc reported a massive level of infection. The exploit was created from a bug in the Microsoft Server Message Block 1.0 (SMBv1) server, a default service running on all Window computers using Windows XP or Windows Server 2012.
For now, the exploit does not target Windows 10 or, Windows Servers 2016 users but these could be open for vulnerabilities in the near future if patches or updates are not applied. With the leak, Microsoft has immediately released a patch, but users had to update their systems in order to fix the problem. Those who did not update are at risk to get infected. And it is exactly this vulnerability that the Petya attack has taken advantage of.
What You Need to Know Right Now
1. The Damage
As we know it, 10 hours into the attack and already a healthcare facility in the US has been affected. One surgery in the Heritage Valley Health Systems has been postponed because of the virus. But the worst hit has been Ukraine with the country’s central bank, state power provider and the metro system compromised. The virus literally spreads like wildfire affecting massive networks and already countries in the Europe including France, Denmark and Pittsburgh are reporting of the infection. This time round, they aren’t gaining access to systems even if the ransom is paid. Advertising giant WPP, French construction companies, and Russian firms as Evraz and Rosneft have been infected with the Petya virus. This latest strain does not affect just individual files, but the entire drive, thus rendering computers useless.
2. Ground Zero Attack is Traced Back to Ukraine
Experts tracing the virus has found that the ground zero attack may have started from a Ukrainian financial firm. Experts say the attack may have happened when the firm updated a software system with a tax accounting package called MeDoc. The MeDoc may have been hacked and the malware was executed through the update feature. How MeDoc was hacked still remains a mystery and the key suspect has yet to be identified.
3. Patch Your System
In a statement to Recode, Microsoft has confirmed that the leak which caused the WannaCry attack was patched with a security update. ‘“Our initial analysis found that the ransomware uses multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10,” said the company. If your company hasn’t yet applied the patch, get it done as soon as you can. In fact, most security experts on Twitter have been vocal about companies neglecting the importance of applying a patch. If only companies learned the lesson from WannaCry, the ransomware would not have been able to take effect. All it takes is one point of entry to disrupt an entire network. So if even one computer in your network has not been patched and updated, it could affect everything else.
Take the proper time to make sure that your computer has all operating system patches applied. Do not ignore update prompts!
4. Be Vigilant With Your Email
Ransomware of this kind is dependent upon user interaction to spark an infection. Be very careful of the emails you receive. Unless it is a verified user, avoid opening any email that is from an unknown source – no matter how lucrative it seems. The malware is being spread by emailing people about job offers, shopping deals etc. Make sure you SPAM folder is updated and you have a strong filter system applied. Do not open any files that seem suspicious. That’s one of the best ways to protect your system against viruses, malware, and ransomware.
5. It’s Not Always an Easy Fix
Although the patch was released and home users who updated their systems remain protected, there are thousands of systems out there still vulnerable. These systems are interdependent on each other and sometimes applying a patch is a painstaking process. In the case of a medical unit, some systems do not work well (or at all) on newer versions of Windows and updating may require restarting of systems. The same theory applies to transport hubs, airports, train stations etc where a downtime for restart cannot happen overnight. Admittedly this is a concern that should be strategically addressed and all possible efforts must be made to ensure these systems remain protected. Downtime and maintenance time is way better than chaos and compromised systems.
6. You Can’t Decrypt!
The email address used by the attacker to release the decryption key has been blocked by the German email provider Posteo. In a blog post, the company explicitly states, ‘We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.’ So even if companies are paying the bitcoin amount, they’ve pretty much wasted their money. At the time of this attack, the bitcoin wallet showed $6000 received from affected people suggesting that 20 people have just wasted their money with no decryption possible.
7. Immediate Course of Action
If your computer is infected, it waits for about an hour before rebooting the machine and encrypting the files. As soon as you see your machine going into reboot mode, switch it off at once. Ask a security expert to retrieve the files from the machine later if you are not able to do it yourself. Disconnect from the Internet, reformat the hard drive and reinstall files from backup.
If you do not have backups, you should really think about creating backups. That or some other kind of computer disaster recovery plan.
Also, there is always Linux!
Stay safe folks and get the help of an expert if you believe your system has been compromised. As of now, there is no clear solution to stopping the spread of the virus - other than preventing your system from being infected in the first place.