Petya ransomware attack hits firms globally
27 June 2017 |
Although a solution to the Petya (NotPetya) ransomware yet, more than a day after it hit critical infrastructure in Ukraine and well known brands across the world, a temporary solution has been found to the problem.
A single file created and strategically placed into a computer's C drive can help with the virus infecting the machine. There has still not been any claims by groups on who unleashed the virus or what their end goals are.
Bleeping Computer have published a step-by-step guide on how to create the read-ply file called 'perfc' and putting it in the computer's "C:\Windows" folder. Doing this, rather miraculously, stops the ransomware from spreading further.
Like the 'kill switch' that a UK white hat hacker discovered with WannaCry, the file creation with the Petya/NotPetya virus is a work-around to stop it from spreading to local computers. IT is not a definitive cure to the problem that has left cybersecurity experts scratching their heads.
Amit Serper, a security researcher at Cybereason stumbled on the stop-gap solution by realising that once it has infected a system, Petya/NotPetya looks for a single file in the local directory then exits its encryption routine if the file already exists on disk.
This morning, it emerged that India's largest port had been hit by the attack too. A private terminal at the Jawaharlal Nehru Port Trust (JNPT), run by Danish sea transport giant A.P. Moller-Maersk in Mumbai had to be taken offline.
In a statement, India's shipping ministry said said: "It (JPNT) has been informed by the private terminal operator that this disruption is a consequence of a worldwide disruption being faced by them because of a cyberattack.
"While the terminal operator is taking steps to address the issues disrupting the operations, it is anticipated that there could be bunching of in-bound and out-bound container cargo,"
News is just coming through about a new ransomware variant that has attacked businesses across the globe and critical infrastructure in Ukraine. Similar to WannaCry, the Petya ransomware has a couple of key differences that makes it even more lethal for businesses and critical infrastructure that are not protected.
Instead of the usual single layer of encryption that most ransomware comes with these days, the new Petya variant has two layers of encryption. There is one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents the victim's computers from being booted up in a live OS environment and retrieving stored information or samples.
To make it particularly painful for the victim, once encryption process is complete, the ransomware forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid.
According to the BBC, those affected include British advertising agency WPP, Ukrainian central bank, the aircraft manufacturer Antonov, and two Ukrainian postal services. Issues have also been reported by Russian oil producer Rosneft and Danish shipping company Maersk. The latter, in a tweet said disruptions are being faced in their UK and Ireland offices too. Petya has, reportedly, also taken down Ukraine's state power distributor and Kiev's main airport.
And the attack has spread far and wide now, with Spanish media reporting that food giant Mondelez and legal firm DLA Piper have also been severely affected. In France, construction materials company St Gobain has been hit too. However, the Ukrainian government used sarcasm to signal the problem that had hit the country the hardest.
The National Cyber Security Centre (NCSC) released a statement saying: “We are aware of a global ransomware incident and are monitoring the situation closely.” Rob Wainwright, Executive Director of Europe said on Twitter that the European agency was looking into the attack too: We are urgently responding to reports of another major ransomware attack on businesses in Europe." Sky News reported that the radiation monitoring system at Chernobyl was also affected leading employees to "go out and measure the [radiation] levels with hand-held meters".
Ukraine has been the worst hit though with customers of one of the banks, Oschadbank unable to transact. The bank has 3650 branches and 2850 ATMs across Ukraine, said Canadian journalist Christian Borys who reports from the country.
Dr. Jamie Graves, CEO, ZoneFox said that two things were now clear from the WannaCry and Petya attacks- that attackers now had access to cyber weaponry that could be used to bring down governments. And that it wasn't just computers shutting down but also the national power grid of countries. "The origin of this attack looks to be a phishing email that delivers a re-branded piece of ransomware, with the only addition being the NSA EnternalBlue exploits that WannaCry used. This is further confirmation that we now live in a world where nation-state sponsored cyber-attacks are becoming as routine as ‘real-world’ incidents.
According to Forbes, U.S. pharmaceuticals giant Merck also bore the brunt of the Petya ransomware attack. Sources told the publication that both phones and PCs had been knocked out and the issues weren't just territorial in the US but had also spread to its offices worldwide, including Ireland. A spokesperson for Merck Sharp & Dohme (MSD), the U.K. subsidiary of Merck confirmed the attack and said: "We're trying to understand the level of impact, we're trying to operate as normally as possible."
Companies affected include:
:UK - WPP
:US - Marck &Co, DLA Piper
:Ukraine - Central bank, power grid and aircraft manufacturer
:Russia - Evraz, Rosneft
:Germany - Metro, Deutsche Post
:Denmark - A.P. Moller-Maersk
:Norway - Unnamed "international company"
:The Netherlands - APM Terminals
This is a developing story and will be updated when we know more.
Latest posts by Sunetra Chakravarti (see all)
- Most CISOs feel security prevents them from doing their job - 20th October 2017
- ‘News of the death of password is music to our ears,’ RSA President Rohit Ghai - 16th October 2017
- The great Deloitte dumpster fire… - 27th September 2017
- Should a music degree stop you from a career in cyber security? - 19th September 2017
- Building a threat sharing network can help prevent future attacks - 13th September 2017