It hasn’t even been seven weeks since WannaCry, “the biggest ransomware attack of it’s kind,” and here we are again. On Tuesday began a new ransomware attack quickly, and perhaps premtively, dubbed ‘Petya’ – which is currently and quickly spreading across the world, crippling computer systems and demanding victims pay-up to regain access to their files.
Yesterday morning sources revealed that the software used is not a form of Petya, as was being widely reported, but a new form of ransomware. “Our preliminary findings suggest that it is not a variant of Petya ransomware, as has been publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality. We have named it ExPetr,” Kaspersky’s Principal Security Researcher, David Emm, told Memoori.
Early signs suggest that ExPetr has been seeded through a software update mechanism built into an accounting program required by companies working with the Ukrainian government, according to the Ukrainian Cyber Police.
— Cyberpolice Ukraine (@CyberpoliceUA) June 29, 2017
Numerous organizations in Ukraine were among the first hit on Tuesday, including the radiation monitoring system for the exclusion zone at former nuclear plant in Chernobyl, which was taken offline forcing workers to use hand-held counters for the vital measurements.
Ukraine has been the target of other cyber attacks in recent years, including assaults on its power grid at the end of 2015 and 2016, when it pointed the finger of blame at Russia amid the tension from rebel fighting in eastern Ukraine. Similar to last month’s WannaCry attack, this latest ransomware is spreading quickly and internationally.
ExPetr has already brought down systems at large firms in Europe and the US; including the British advertising company WPP, Danish shipping and transport giant AP Moller-Maersk, French construction materials firm Saint-Gobain, food company Mondelez, legal organization DLA Piper and Heritage Valley Health System, which runs hospitals and care facilities in Pittsburgh. Interestingly, considering suspicions of Russian involvement, the new ransomware attack also hit Russian steel and oil firms Evraz and Rosneft.
In fact, Ryan Kalember from cyber security company Proofpoint, suggests ExPetr “has a better mechanism for spreading itself than WannaCry” – and WannaCry managed to infect 230,000 computers in over 150 countries, disabling the UK’s national health service, Spanish communications giant Telefónica and the German state railway.
Like WannaCry, the ExPetr ransomware exploits the EternalBlue and EternalRomance vulnerabilities in Microsoft Windows in order to propagate throughout a corporate network. Microsoft released a patch for it shortly after the WannaCry attack, but it is likely that many are yet to install it. However, there is a key difference from WannaCry that could mean victims may not be able to recover their files even if they pay.
“One of the key differences from WannaCry is that there doesn’t appear to be a kill-switch, i.e. a mechanism that will stop if from infecting. This is why it’s essential to ensure that systems are fully updated and to ensure that data is backed up regularly,” David Emm told us yesterday.
Whereas WannaCry created a custom address for every victim, ExPetr uses the same address each time. It also provides a single email address for victims to communicate with the attackers, which was quickly suspended by the email provider, leading some to suggest that the cyber criminals were amateurs and others to suggest that money was not the primary objective of the attack.
Whatever the reasons behind this latest incident, it underlines the need for better protection in what seems to be just the beginning of a new era of frequent cyber threats, be they ransomware, DDoS or other forms. However, with so many styles and points of attack, true protection becomes a tricky business. Kaspersky’s Emm believes we are best protected by developing a culture of security, as he discussed in-depth in an interview with Memoori last week.
“ExPetr uses modified EternalBlue and EternalRomance exploits for propagation within a corporate network. So ensuring that systems are robust by applying security updates is a key element in blocking this attack, as well as preventing execution of specific files used by the malware,” Emm added yesterday, after the ExPetr attack.
“That said, it remains vital for businesses to develop a security culture to reduce the risk of staff clicking on dangerous links and attachments and so spreading malware. This takes time and needs continual reinforcement – it’s a cultural shift that’s required, rather than training staff to do specific things.”