NEW cyber attack which started in Russia and Ukraine and has spread across the globe is “particularly nasty” and has a number of ways to spread, cyber security experts warn by WEBE Club.
It’s the second time in as many months that businesses around the world have been hit by ransomware hackers who seize a computer system and demand payment for its release.
Here’s what you need to know about the latest attack, dubbed Petya.
HOW IT WORKS
Petya shares characteristics with the recent WannaCry ransomware attack but includes a few extra nasty features.
Not only does Petya encrypt the files on a system, it also encrypts what is known as the master boot record.
“This is particularly nasty,” says Andrew Hurren, who works as Australia’s regional solutions architect at cyber security firm McAfee.
The master boot record is the information in the first sector of any hard disk that identifies how and where an operating system is located so that it can be loaded.
“By encrypting the master boot record it means that the attacker can essentially kill your system,” Mr Hurren said. “It makes recovery very difficult, or impossible, I would say.”
Typically ransomware spreads by human interaction via things like phishing email campaigns. However “WannaCry introduced the idea of combining, most likely a phishing attack, with the ability to spread the ransomware like a worm, without any human interaction,” Mr Hurren said.
Petya uses the same exploit method as the WannaCry virus: the EternalBlue exploit which was a part of a number of hacking tools developed by the CIA and recently leaked by Wikileaks.
“But it’s not just using ExternalBlue, which is the fascinating thing about this,” Mr Hurren said. “They’ve gotten very very clever, they’ve added in some capabilities that provide for password stealing or extraction.”
Petya includes tools that “sniff and prob” the network for passwords which then help in spreading the malware. Petya also exploits a common Microsoft systems administrator tool called PsExec to spread the infection as well as the Windows Management Instrumentation (WMI) tool, prompting cyber security experts to warn about the immense threat posed by the new virus.
“This is the very interesting aspect of this variant,” Mr Hurren said. “You think about WannaCry which had one primary method for propagation, they’ve now increased it to at least three or four.”
PETYA SPREADS TO AUSTRALIA
There is “every chance” Australian businesses will be infected, Mr Hurren told news.com.au early this morning.
There is one thing that has works in our favour: our time zone.
“We’re very fortunate because of our time zone,” he said. “We’re all in bed with our systems turned off. It gives us time to prepare.”
However reports began to emerge this morning of Australian businesses being infected by Petya.
The ABC reported that Australian employees of Global law firm DLA Piper were advised via text not to attempt to log in to their computers or turn them on this morning because the company had experienced a “major cyber incident” overnight.
The Cadbury chocolate factory in Hobart has also been targeted, the ABC reported, citing a union official who said production was halted last night when the factory’s computer system went down.
Alastair MacGibbon, the special adviser to the Prime Minister on cyber security, said if Australians were affected they should not pay any ransom — reported to be about $US300.
“Our advice is you don’t ever pay a criminal … There is no knowledge that they will actually unlock the system,” he said.
HOW TO PROTECT YOURSELF
“With WannaCry the recommendation was patch, patch, patch — that’s absolutely the number one thing you should be doing,” Mr Hurren said.
“The challenge here is that an unpatched system is only one method that’s being targeted.” So even if your system is fully patched you could still be affected.
Ensuring you have the latest software updates, have patched against any known software vulnerabilities and have up-to-date malware protection software are important steps for average businesses and consumers to take.
Mr Hurren also heavily advocates (as does the Australian Signals Directorate) for “application whitelisting” which is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system.
“Outside of that, there’s not a huge amount that can be done,” he said.
West Petya News 2017