Petya, the most dangerous ransomware

The executive vice president and regional head for EMEA at Paladion, Amit Roy discusses the latest ransomware attack, Petya with Security MEA and describe the steps regional businesses should take to secure themselves against Petya.

What caused Petya spread so fast so wide and what kind of damage this latest attack has caused?

In Europe, Ukraine is the most affected by the Petya ransomware. However, reports have shown that not less than 65 countries including Ukraine, Belgium, Brazil, Germany, Russia, India and the United States are impacted. Initial findings claim that more than 12,500 machines were infected in Ukraine alone.

The latest speculation in the InfoSec community is that these attacks may not be financially motivated; the attacks could be aimed at crippling critical infrastructure to randomly wreck-havoc.

The M.E. Doc, a Ukraine based accounting software seems to be the primary attack vector. According to sources, an unknown attacker compromised M.E. Doc’s update server and later pushed a malicious .DLL file as an update. Once the update reached and executed on client’s systems, it initiated further infection and spreading phases.

It is possible that this ransomware campaign was intended to cause widespread damage to organizations based in Ukraine. This assessment is based on the attacker’s knowledge of M.E. Doc’s infrastructure, which played a crucial role in compromising their update systems and spreading the malware.

Other loosely associated facts can be the following:

  • The attacks were launched one day before Ukraine’s Constitution Day, which is a national holiday. This would make clean-up more difficult.
  • The attacks also occurred on the same day that a top Ukrainian counter-intelligence official, Col. Maksym Shapoval, was killed by a car bomb. Mr Shapoval was heavily involved in Ukrainian intelligence operations in the Donbass.

Between the two recent ransomware attacks, which one would you consider to be a more serious attack Petya or WannaCry?

Petya is said to be the most dangerous and intrusive ransomware that has world ever seen so far, because unlike the recent WannaCry ransomware which locked user files and not the system partition (e.g. “C:”), Petya Limits access only to the initial screen (bootloader) by locking out the entire system drive, which is far more intrusive for a ransomware.

The Petya Ransomware also employs several other tools, exploits and approaches to make sure that if one attack vector fails, others can complete the job (e.g. infecting and spreading). Whereas, in the case of WannaCry, a single exploit (ETERNALBLUE) and one backdoor (DOUBLEPULSAR) was observed

Has your team of researchers followed this attack and what has been the impact of this attack on Middle Eastern businesses?

Paladion’s Threat Research team has followed the Petya attacks since its origination in Ukraine and has studied its samples to understand its infection routes, phases and spreads. Our internal teams, customers and partners received actionable threat advisory on Petya on June 27th. Paladion’s security researchers continue to closely follow this threat and have validated several theories associated with Petya (e.g. kill-switch or vaccine etc.).

According to our findings, Middle East region has escaped the wrath of this ranswomware and is not impacted through Petya ransomware incident.

How is Paladion ensuring its customers are not affected by such an attack?

The company has a constellation of Six Security Operations Centres (SoC) placed at the key locations across the globe, and these SoC’s are manned by information security researchers, malware engineers, ethical hackers and more, who closely monitor global cyber threats. Threat intelligence from our research teams is rapidly disseminated to all our security operations teams including security analytics, investigators, threat hunters, incident responders and forensic investigators, so they are equipped to protect our customers from the latest threats.

This includes ensuring out customers are able to prioritize the right vulnerabilities to patch, so attackers cannot exploit weaknesses in defence, and using advanced cyber tools such as Paladion’s own situational awareness software that identifies indicators of compromise to mitigate threats.

What should companies do to secure themselves against Petya attack?

To mitigate or limit the adverse effects of the Petya cyber menace one can adhere to the following best practices:Since this ransomware variant is targeting Microsoft’s Office/WordPad RCE Vulnerability and SMB Vulnerability, users should ensure that all security issues are patched.

  1. Disabling SMBv1 is required.
  2. Network and host-based firewalls should actively block TCP/445 traffic from untrusted systems.
  3. Isolate any unpatched systems from the network to prevent it from getting infected.
  4. Refrain from opening any .rtf, .doc, .xls files received from unknown sources or without validating it.
  5. Keep an offline backup of critical data on desktops and servers.
  6. Use the released vaccine to keep hosts immune from the Petya massacre.
  7. Limit user access privileges. The malware only succeeds in overwriting the MBR if it is able to run with the highest privileges.