30 June 2017

Petya ransomware slams Windows PCs shut in massive attack

by Alfred Ng

Another widespread ransomware attack is threatening to wreak havoc across the world. 

Businesses and government agencies have been hit with a variation of the Petya ransomware -- that is, malware that holds crucial files hostage. The malware is demanding $300 in bitcoin before victims can regain access.

The new ransomware, identified by security firm Bitdefender as GoldenEye, has two layers of encryption, researchers said. It locks up both your files and your computer's file system.

"Just like Petya, it is particularly dangerous because it doesn't only encrypt files, it also encrypts the hard drive as well," said Bogdan Botezatu, a senior threat analyst with Bitdefender. 

The malware forces an infected PC to reboot as soon as it finishes encrypting files, so you'll see the ransom demands as soon as possible. Researchers at Recorded Future said there's also a hidden Trojan on Petya that steals victims' usernames and passwords. 

This is the second global ransomware attack in the last two months. It follows the WannaCry outbreak that ensnared more than 200,000 computers, locking up hospitals, banks and universities. Like WannaCry, the GoldenEye and Petya attacks affect only computers running the Windows operating systems.

Microsoft released patches for all Windows operating systems after the global outbreak, but people who've updated their computers could still be affected, according to Anomali, a threat intelligence company. That's because Petya can also spread through Office documents, taking advantage of yet another vulnerability and combining it with similar wormholes a la WannaCry.

More than 38 million computers scanned last week are still vulnerable to the ransomware attack because they have not patched their systems, according to data from Avast's Wi-Fi Inspector. 

"The actual number of vulnerable PCs is probably much higher," Jakub Krostek, Avast's Threat Lab Team lead, said. 

The difference between Petya and WannaCry is that Petya apparently does not have a kill-switch that could be accidentally triggered.
The hit list

Government agencies in Ukraine, along with financial firms, banks and a power distributor, got hit by the attack Tuesday morning. Russia's largest oil exporter, Rosneft, was also slammed with a cyberattack on its servers

More than half of the attacks occurred in Ukraine, according to Costin Raiu, director of global research at Kaspersky Lab. Tensions between Ukraine and Russia continue to boil over cyberattacks between the two neighboring nations.

Ukrainian Prime Minister Volodymyr Groysman called the attack "unprecedented," but also said crucial IT systems were unaffected by the malware. "Our IT experts are doing their work and protecting strategic infrastructure," Groysman said in a post on Facebook

Rosneft said the cyberattack did not affect its oil production because it had switched to a reserve control system.

US-based pharmaceuticals giant Merck said Tuesday that its computer network was "compromised as part of [the] global hack."

A.P. Moller-Maersk, the world's largest shipping company, said it suffered a cyberattack that took down multiple IT systems. 

IT systems for WPP, one of the world's largest advertising agencies, also were affected by a cyberattack. DLA Piper, a law firm operating in more than 40 countries, said it had been hit with suspected malware as well.

Researchers from Symantec confirmed that the GoldenEye ransomware used EternalBlue, the NSA exploit that fueled WannaCry's spread. So far, more than $4,600 has been paid to the attackers' bitcoin wallet in 19 payments.

Security experts and government agencies recommend against paying ransomware, and GoldenEye is no different. The ransomware attackers behind Tuesday's attacks were using a Posteo email for victims to contact and pay the ransomware.

Posteo shut down the account before the ransomware spread, and is working with German police to figure out who set up the email address.

It's still unclear who's behind the Petya attacks. Researchers still have not found the hackers responsible for WannaCry, though the NSA has linked that attack to North Korea.

The source for Petya's ransomware code had been available on the dark web since April, and been used multiple times, giving the malware authors 15 percent of the profit, according to Avast.

Originally published June 27 at 8:14 a.m. PT.

Updated at 10:11 a.m. PT: Incorporated more details on the ransomware and who has beenaffected and at 11:40 a.m. PT: to include that the email address behind the ransomware has been shut down.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.

No comments: