What is Petya? What is WannaCry?
Computers across the U.S. and Europe have been crippled since June 27, when criminals engaged in cyber warfare and released another piece of ransomware known as "Goldeneye."
As the second major attack to occur in less than two months, Goldeneye, also known as Petya, appears to have started in Ukraine. According to media reports, it leveraged a piece of tax accounting software called M.E.Doc, which is required for business use by the Ukraine government.
How far has it spread?
Ukraine businesses appear to have suffered the greatest number of infections, but Goldeneye's reach is deep. It has now spread to more than 65 countries and as various industries, infecting international shipping companies, law firms and healthcare facilities, including shipping giant A.P. Moller-Maersk and the New Jersey-based pharmaceutical company Merck, among others.
What is ransomware?
Ransomware is malicious software (i.e., malware) released by hackers that locks the victim out of files on their computer and demands payment in order to restore access. While this type of attack has been around for nearly a decade, there has been an influx in attacks in recent years – including the WannaCry attack that was released on May 12, 2017. What made the WannaCry ransomware notable is its method, speed of infection and the breadth of operating systems that are vulnerable to it.
How does Goldeneye differ from WannaCry?
Like WannaCry, Goldeneye also is based off of the stolen U.S. National Security Agency's zero-day EternalBlue exploit, which was stolen and leaked in April by the hacker group, The Shadow Brokers. After WannaCry was resolved with the software patch MS17-010, criminals updated and "improved" the malware to create Goldeneye. Both WannaCry and Goldeneye are variants of the computer virus "Petya," which is for sale on the so-called "dark web."
However, the Goldeneye attack goes one step further than WannaCry in several ways. First, it initially appeared to evade most types of antivirus software, although most major providers have now updated virus definitions to detect the attack.
Second, while Goldeneye is classified as having "worm" capabilities, this ransomware also uses a credentialed stealing tool to leverage the local user's access to connect to other machines, as well as use two windows tools PSExec and WMIC to spread infection, as reported in various sources. Unlike WannaCry, at this time no Goldeneye "kill switch" has been discovered, but researched have discovered a "vaccination" for the attack.
Once infection sets in, the ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives, with proof sent to a named email address. However, the trail ends there. The internet hosting provider has shut down this email address, effectively preventing all decryption.
Who's behind this attack?
It may be multiple people or groups. The authors of the Petya ransomware, who call themselves Janus Cybercrime Solutions, reportedly receive a portion of the paid Goldeneye bitcoin ransoms. On June 28 Janus publicly distanced themselves from what they refer to as "notpetya" and were looking into if their own private key would help decrypt notpetya infections. Further analysis by security researchers has suggested that notPetya may be a "wiper", which is designed to inflict permanent damage. Also speculated is that the appearance of being ransomware was a ruse to control the media narrative to divert attention from what may have been a nation state sponsored cyberattack.
What should you do so you don't become affected by ransomware?
The first step in protecting your businesses is to start with your front line defenders: your employees. Training employees on ransomware – what it is, how it works and the methods by which it is distributed – is one of the most effective ways to reduce the threat of ransomware.
Additionally, these four recommendations can help protect you against a ransomware attack:
- Proceed with caution when opening email attachments even when they appear to come from someone you know; likewise, don't download software from untrustworthy or unfamiliar websites.
- Back up important files regularly and keep at least one copy "offline" to prevent that backup from being affected by the malware.
- Ensure that your operating system and third party software are properly patched (i.e., Internet browsers, Flash, Java and Adobe Reader).
- Utilize antivirus software with up-to-date definitions. It's important to note that antivirus will not catch all malware.
And working with your IT or Security department, consider implementing these recommendations specific for NotPetya:
- Confirm that the Microsoft Windows patch MS17-010 is installed on all machines in your environment
- Disable SMBv1
- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
Prevention is key when it relates to becoming victims of cyberattacks and hackers. It's important for you to be constantly vigilant, and if something is or seems suspicious, report it.