A massive cyberattack similar to WannaCry was yesterday unleashed around the world. The brunt of the attack was felt in Ukraine, leading many to speculate that the attack is a retaliatory move by Russia against the sanctions imposed by Ukraine a few weeks ago. At that time, Ukraine outlawed many Russian websites and online services, forcing Internet Service Providers to block access to Russian websites.
Early reports claimed that the attack was being carried out by malware called Petya but cybersecurity experts at Kaspersky Lab have gone on the record to clear this point up:
“Our preliminary findings suggest that it is not a variant of Petya ransomware as publicly reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya.”
According to Kaspersky, by Tuesday evening around 2,000 computers had been infected with the new form of ransomware, which is now being dubbed Petya.A, Petwrap, and NotPetya. Several cybersecurity firms have come forward to say that the new exploit is also making use a hacking tool called EternalBlue.
EternalBlue leverages a vulnerability in Windows’ Microsoft Server Message Block (SMBv1 protocol). The elite hacking tool is believed to have been stolen from the NSA (Equation Group hackers) by cybercriminals known as the Shadow Brokers.
Since the Shadow Brokers leaked the NSA’s hacking tools, a number of ransomware and malware variants have popped up – Wannacrypt0r, Petya, and this latest exploit, Petya.A, among them. Other variants have also been using the EternalBlue exploit (DoublePulsar) to mine cryptocurrencies using Adylkuzz.
The Wannacrypt0r attack was one of the largest the world has ever seen, with computers at businesses and organisations all over the world suffering downtime due to the ransomware.
Microsoft issued an update that fixes the vulnerability for its Windows operating system before the WannaCry attack. Sadly, however, many computers may have failed to get the update and remain vulnerable.
It is also possible that Petya.A is infecting computers via phishing emails. A Microsoft spokesperson told me that both Windows antivirus and Windows Defender both recognize and remove this virus as Windows32.Petya.A. In addition the spokesperson told me the following,
“Our initial analysis found that the ransomware uses multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10 (MS17-010). As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers.”
On this occasion, it would appear that Ukraine has borne the brunt of the attacks. Among those that have suffered from the attack are Ukraine’s central bank, government departments, a state-run aircraft manufacturer, Kiev’s Boryspil airport, petrol stations, the metro system, and a state-run telecoms company.
The full list of firms that have come forward as having been impacted demonstrates just how intensely Ukraine has been affected by this attack:
- Cabinet of Ministers of Ukraine
- Interior Ministry of Ukraine
- Ministry of Culture
- Ministry of Finance
- National Police (including regional websites)
- Kyiv State City Administration
- Lviv City Council
- Ministry of Energy
- National Bank
- ОТР Bank
- Boryspil International Airport
- Kyiv Metro
- Ukrzaliznytsia (major railway carrier)
- Radio Era-FM
- Pershyi Natsionalnyi
- Telekanal 24
- Liuks Radio
- Maksymum Radio
- KP in Ukraine
- ATR TV channel
- Nova Poshta
- Naftohaz Ukrainy
- Arcelor Mittal
Cell phone operators
- Vodafone Ukraine
- Borys Medical Center
- Arterium Corporation
Although similar to WannaCry, Petya.A is actually slightly more sophisticated because it allegedly has the ability to spread through three separate Windows vulnerabilities. First, the virus checks to see if it can exploit the SMB protocol, before it moves on to two administrative tools. Ryan Kalember from Proofpoint has commented,
“It has a better mechanism for spreading itself than WannaCry.”
According to Ukrainian police, the attack appears to have originated in the software update mechanism of an accounting program that firms are forced to use by the Ukrainian government. It is for that reason that so many Ukrainian private, state-owned, and government departments have fallen prey. As such, this cyberattack appears to have spread through Ukraine irrespective of the EternalBlue Windows exploits contained within Petya.A.
Due to this initial form of infection, there can be no doubt that this cyberattack was directly aimed at Ukraine. For this reason alone, Russia is most certainly considered the biggest suspect at the moment. However, it may be too early to definitively point the finger at the Russians, especially considering that the WannaCry attack is being blamed on North Korea’s state-sponsored hackers (Bureau 121, also known as Lazarus).
Despite locking up computers and asking for $300 worth of bitcoins, this attack appears not to really be motivated by money. Usually, ransomware hackers ask each victim to pay their Bitcoin ransom to a different wallet address. This makes it harder for the attack to be traced. On this occasion, however, the ransom note has the same Bitcoin payment address for every victim.
In addition, the ransom note asks all victims to communicate via just one email address: email@example.com. That email address was quickly shut down by the email provider as soon as it was known to be part of this attack.
This leads us to conclude that either the cybercriminal is completely inept and an amateur, or simply wasn’t interested in the ransom in the first place. Security researcher Nicholas Weaver agrees with this prognosis and has commented that he believes the Petya.A attack was a “deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”
Many Countries Hit
Despite primarily affecting Ukraine, the ransomware attack has spread internationally. What’s more, attacks have been felt in Russia, where the oil company Rosneft and the steel company Evraz have been affected. In addition, the Chernobyl nuclear power plant has had to switch to manual radiation monitoring due to the ransomware.
In fact, attacks have been reported all over the world. In Spain, a food company called Mondelez (which makes Oreo biscuits, among other things) was hit by the cyberattack. In Denmark, the international shipping company Maersk has had multiple computer terminals brought to a standstill, including the firm’s Russian arm Damco. In France, the construction materials company Saint-Gobain also suffered at the hands of the attack.
In the UK, marketing firm WPP announced on Twitter that it was suffering as a result of the cyberattack. In the US, one of the world’s largest law firms, DLA Piper, has reported computers and phones being affected.
Furthermore, the German firm Deutsche Post has also been hit, though it would appear that it is its express division within Ukraine that has suffered.
In addition, victims in India have been reported and Kaspersky made the following statement,
“Organisations in Russia and Ukraine are the most affected, and we have registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.”
For now, it remains a mystery exactly who carried out this attack. Assuming that the perpetrator isn’t an amateur (which it could be) then there are a few possibilities. Either this truly was an act of cyber-warfare from Russia, or some other state actor, terrorist organization, or lone wolf hacker has carried out the attack in a way that appears to frame the Russians. We will have to wait and see where the digital clues lead.
Opinions are the writer’s own.
Title image credit: supimol kumying/Shutterstock.com
Image credits: supimol kumying/Shutterstock.com, Wead/Shutterstock.com,