With the latest global ransomware attack sweeping the world on Tuesday, just over a month after WannaCry, it would seem businesses are still unprepared for cyber attacks.
Experts believe this new ransomware to be similar to GoldenEye, a variant of the Petya virus first reported in early 2016, according to MailGuard, and used in partnership with malware Mischa.
Petya takes advantage of vulnerabilities in EternalBlue, a Windows SMB exploit leaked in April by hacker group The Shadow Brokers.
Sententia cyber security practice manager Tony Vizza believes this ransomware variant differs to WannaCry in that it has no broad-spectrum and easy to deploy kill-switch.
He said this week's outbreak was another case where unpatched Windows systems appeared to be the entry point.
"Then it propagates within a local network using legitimate remote admin tools and password crackers to infect local computers," Vizza told CRN.
Different from other ransomware, Petya does not just encrypt files; rather, it reboots the victim's computer and encrypts the hard drive.
The Missing Link senior security architect Dinesh Aggarwal said: "Petya reboots victims' computers and encrypts the whole disk, including the MBR [master boot record] by replacing the computer's MBR with its own malicious code. It can pull passwords from the infected server to spread through the network.
As there is no easy-to-deploy kill-switch, Vizza believes Petya could surpass WannaCry in damages.
"This variant will almost certainly exceed WannaCry in terms of impact and damage. Sadly it appears that the lessons from WannaCry with regards to patching and vulnerability mitigation simply were not heeded," he said.
Aggarwal said he hoped most systems had been patched since WannaCry hit systems last month and believes the initial infection should be smaller. He did point out that once inside a network it can spread without the EternalBlue exploit affecting patched networks.
None of Sententia's direct customers have been affected, however, the solutions provider has been contacted by other parties and are currently assisting these with prevention measures.
Vizza suggested the following precautions: "Patch your systems, backup your systems, update deprecated operating systems and have effective endpoint protection in place. Conduct a vulnerability assessment. If unsure, transfer your information security risk to an accredited managed security services provider."
The Missing Link's Aggarwal also suggested that SMB V1 be disabled.
"Users are advised not to pay the ransom because the email address used by the criminals to communicate with victims after getting the ransom to send the decryption keys has been suspended by its German email provider," he said.
On Tuesday, a Tasmanian Cadbury factory was hit by the ransomware and was forced to shut down its activities.
According to a MailGuard blog, the attack vector is suspected to be a malicious attachment delivered via email, though this has not been confirmed. Windows users can use Applocker to stop the execution of the file perfc.dat.
Minister assisting the Prime Minister for cyber security Dan Tehan said the Government was working to confirm that two Australian businesses had been affected by today’s global ransomware attack.
TNT Australia has warned customers that it is "experiencing interference with some of our systems within the TNT network. We are assessing the situation and are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers".
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
