Yesterday the news broke that another ransomware software was spreading through systems in Europe. This ransomware which is part of the “Petya” family of ransomware, targeted primarily businesses and spread fastest in the Ukraine.
Although no new techniques or exploits were used in this software attack, the combination of known exploits and clever tactics led to the infection of thousands of computers.
When a computer is infected with the Petya virus it will reboot then display a flashing skull, followed by a lock screen:
The user’s computer would be completely locked and their data totally encrypted. Users were then prompted to pay $300 in Bitcoin to a bitcoin wallet and then notify the attackers by email of the payment. They would then release the encryption key to the user.
The Petya virus hit many high-profile corporations including Merck, Rosneft and even the nuclear power facilities in the Ukraine. The software used an exploit called EternalBlue to gain access to networks. This exploit was used in the Wannacry attack that tore through Europe and the United Kingdom in May. This exploit is suspected to have been developed by the NSA and was leaked to the public by a group called the Shadow Brokers.
If this sounds like the plot of a Jason Bourne movie, you’re not alone. Cyber attacks are becoming more frequent, more sophisticated and more impactful. With the increase of attacks and increase in the availability of tools and exploits to criminals, it’s more important than ever to take early safeguards to prevent this from happening to you.
Both yesterday’s Petya virus and the Wannacry attack in May were completely preventable. The exploits used to achieve these attacks were known about and security experts had already provided the necessary patches. The biggest factor that led to these systems becoming vulnerable was how out-dated and old they were. Running an up-to-date, currently-patched and secure system is critical. If you have not updated your operating system, browser or whatever software technology you’re using, you need to do so now!
Another important factor in these attacks was the absence of any sort of firewall or antivirus software. SonicWall, a leading provider of network security and a premier vendor at Executech, had provided patches to these threats several months ago. Customers that use the Sonicwall Gateway Security receive real-time updates and patches to the threats. Our managed IT services clients always have the most up to date patches since we install them and vet them as their provider.
Sonicwall’s recent blog post about the Petya attack clarified their customer’s protection by saying, “Today, June 27, SonicWall Capture Labs began tracking a high number of Petya ransomware attacks against SonicWall customers. Petya as a malware payload is not new. In fact, we reported in the 2017 Annual SonicWall Threat Report that it was second only to Locky in the number of infections we noted last year. The good news for SonicWall customers that are using our security services is that we have had signatures for certain variants of Petya since March 2016. Then, in April 2017 Capture Labs analyzed and released protection for the Eternal Blue exploit that Shadow Brokers leaked from the NSA.”
Although the ransomware continues to spread, the email provider of the address used by the attackers to confirm Bitcoin payments has been deactivated. The investigation is ongoing and we will update this article when further information becomes available.