Tuesday 27 June 2017

Petya Ransomware Outbreak Sweeps Europe

A type of ransomware known as Petya and Petrwrap began spreading internationally on Tuesday. Reported victims so far include Ukrainian infrastructure like power companies, airports, public transit, and the central bank, as well as Danish shipping company Maersk, the Russian oil giant Rosnoft, and institutions in India, Spain, France, the United Kingdom and beyond.

What makes the rapid escalation of Petya both surprising and alarming is its similarity to the recent worldwide WannaCry ransomware crisis, primarily in its use of NSA exploit EternalBlue to spread through networks.

"It is definitely using EternalBlue to spread," says Fabian Wosar, a security researcher at the defense firm Emsisoft that specializes in malware and ransomware. "I confirm, this is a WannaCry situation," Matthieu Suiche, the founder of security firm Comae Technologies, wrote on Twitter.

Microsoft had patched the EternalBlue vulnerability in March, prior WannaCry's spread in May, which protected some systems from the infection. Based on the extent of damage Petya has caused so far, though, it appears that many companies have put off a patch despite the clear and potentially devastating threat of a similar ransomware spread. These systems apparently remain vulnerable even after Microsoft released multiple patches for legacy systems, like Windows XP, that the company no longer supports. And publicity about the attack led many system administrators to prioritize upgrading their systems for defense.

But Petya's spread using EternalBlue shows how dire the patching landscape really is. McAfee fellow and chief scientist Raj Samani notes that Petya may also use other propagation methods as well, for maximum impact.

No Kill Switch

The Petya ransomware itself has circulated since 2016; its spread has just now hastened thanks to EternalBlue. It has two components: The main malware infects a computer's master boot record, and then attempts to encrypt its master file table. If it can't detect the MFT, though, it turns operations over to its other component, a ransomware that Petya incorporates called Mischa, and simply encrypts all the files on the computer's hard drive the way most ransomware does.

In either case, once infected a computer displays a black screen with red text that reads, "If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service." Then the ransomware asks for $300-worth of bitcoin–the same amount WannaCry demanded.

It's not yet clear where the wave of attacks originated or who is behind it. "Everyone talked about Ukraine first, but I don't know [which country is hardest hit]. It's worldwide," says MalwareHunterteam, a researcher with the MalwareHunterTeam analysis group.

Most troubling, perhaps, is that Petya doesn't appear suffer the same errors that stunted WannaCry's spread. The amateurish mistakes that marked that outbreak limited both the scope and the eventual payouts collected; it even included a "kill switch" that shut it off entirely after just a couple of days.

The only potential good news? Enough people may have patched since WannaCry to forestall a breakout on the same scale.

"I think the outbreak is smaller than WannaCry, but the volume is still quite considerable," says Raj Samani, McAfee fellow and chief scientist. "This is particularly nasty, it’s not as widespread, but it’s certainly quite significant."

So far, this round of Petya attacks has netted 1.5 bitcoin, or around $3500. That may not seem like much so far, but the number has steadily increased since the first reports broke this morning. It also has no kill switch function–which means there's no way yet to stop it.

Read the full article here by Wired Top Stories

No comments: