Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies

(Req)

These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Petya ransomware attack and what you need to know

Blog

All organisations face digital disruption … but Petya is digital disruption you don’t want to experience. Don’t be caught out.

On 27 June, a new wave of ransomware, known as Petya or Petrwrap, hit organisations across Russia, Ukraine, Spain, France, the UK, India, and Europe.

Victims are instructed to pay USD 300 in bitcoins to recover their files.

What is Petya and how does it work?

Petya is a highly virulent, self-replicating ransomware, capable of encrypting all the files on laptops, servers, and network drives, and spreading autonomously throughout organisations. It uses a similar exploit propagation technique to the WannaCry ransomware, and uses the same mode of attack - phishing emails with Word and Excel documents attached. This delivery method is leveraged to install malicious files. Like WannaCry, Petya targets vulnerabilities that are addressed by Microsoft’s security patch MS17-010 and other Microsoft Office security patches that have been available since April this year.

Dimension Data identified this latest spate of incidents through our Global Threat Intelligence capability in NTT Security. The NTT Security Global Threat Intelligence Centre protects and informs clients via focused security threat research into the global threat landscape, providing actionable threat intelligence, along with enhanced threat detection and mitigation.

What’s different about it?

Petya works very differently from other ransomware as it doesn’t encrypt files on a targeted system, but instead reboots victims’ computers and encrypts the hard drive’s master file table. This renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya replaces the system’s MBR with its own malicious code which displays the ransom note and leaves computers unable to reboot. At this time there’s no functional recovery process available, which means that Petya presents an increased risk when compared to other ransomware.

The malware also has enhanced capabilities which allow it to propagate laterally across the network. It includes PsExec, a command-line tool, to run processes on remote systems, as well as Windows Management Instrumentation Command-line (WMIC), a scripting interface into Windows systems. Unlike WannaCry, Petya includes a modified mimikatz credential dumping tool to extract user credentials from memory.

More recent analysis has revealed that Petya is simply malware masquerading as ransomware with the more nefarious intention of damaging and destroying target systems. This has led researchers to rename the malware as NotPetya or GoldenEye, to describe its unique wiping capabilities. NotPetya attacks are therefore not financially motivated - rather, the malware is used as a cyber weapon to cause malicious damage through the destruction of data. It hasn’t yet been causally linked to any nation-state or state-sponsored group.

What’s the impact?

Any system infected with Petya or NotPetya will be encrypted and organisations will lose access to the system and all files previously stored on it. Naturally, this causes a significant loss to the availability of sensitive information and internal systems, which is likely to affect daily operations.

Who’s being targeted?

The Petya ransomware has already infected Russian state-owned oil giant Rosneft, and Ukrainian state electricity suppliers, Kyivenergo and Ukrenergo, Several banks, including the National Bank of Ukraine and Oschadbank, have also confirmed that they’ve been hit. The hack has since spread to the UK, with advertising firm WPP being affected. Several Danish and Spanish multinationals have also been paralysed by the attack.

How can you protect your organisation?

Although no one is immune to cyber threats, many organisations are continuing to neglect basic cyber hygiene standards. Improved security practices can limit the scope, impact, and effectiveness of widespread and agile ransomware distribution. Organisations must get on the front foot to understand their risks and have a clear strategy to manage them.

Encourage your employees to be suspicious of the e-mails they receive, particularly those that ask them to open attached documents or click on web links. If they haven’t done so already, IT teams should consider a holistic and layered approach to secure their infrastructure:

  • Deploy the MS17-010 and CVE-2017-0199 patches.
  • Disable SMBv1.0
  • Back up data and ensure it’s kept offline or air-gapped.
  • Conduct security education and awareness training.
  • Restrict administrative privileges.
  • Enforce network segmentation to limit network propagation.
  • Deploy end-point protection controls.
  • Implement email and web filtering to minimise exposure.
  • Update incident response playbooks.
  • Detect/blacklist all incoming or outgoing emails from wowsmth123456@posteo.net

We also urge you to conduct vulnerability assessments on your assets to identify vulnerable systems. This will allow you to prioritise patching and other remediation efforts.

For more insights and analysis of the global cyber threat landscape, download the Executive’s Guide to the 2017 Global Threat Intelligence Report or listen to our webinar here.

 

Previous Article: The workplace in flux Next Article: How to COPE with a growing employee device ecosystem

You may be interested in

Blog

Protect your data from the inevitable ransomware attack

To cope with this new kind of threat, your backup and recovery strategy needs to adapt.

Read blog
Blog

What I learned from hacking the Winter Olympics

I used to think that technology was the answer to all security questions, but my experience post 9/11 taught me that governance should always be the starting point for security discussions.

Read blog
Blog

The two-way conversation you need to have with your CEO on cybersecurity

With cyberattacks featuring regularly in mainstream news, it’s good to see that Boards and CEOs are becoming more cybersecurity conscious.

Read blog
Blog

Balancing risk and innovation

There’s no question that digital is the way forward. It offers tremendous benefits to your business: faster speed to market, more business intelligence and improved customer relationships.

Read blog