5 July 2017

How the GoldenEye/Petya ransomware attack reveals the sorry state of cybersecurity

By Brandon Vigliarolo 

The latest global ransomware outbreak has rapidly affected governments and organizations around the world. The worst part? We should have known better. 

A new ransomware attack is claiming victims, both private and governmental, around the world.

It has struck heavily in Ukraine, where the interior ministry is calling it the largest cyberattack in the nation's history. It's also hit Denmark, Russia, the UK, and many signs point to it being worse than last month's WannaCry attack.

What makes the latest attack, a clone of the GoldenEye variant of the Petya family, even worse is how it operates: Using the same security flaw that enabled WannaCry to infect computers. How was GoldenEye able to go global despite widespread coverage of its predecessor?

What GoldenEye/Petya is

While it's still too early to determine the full extent of the damage this outbreak has caused, security research firm Bitdefender has identified the ransomware and knows what it's capable of.

This latest attack is using a nearly identical clone of GoldenEye, itself a member of the Petya family of ransomware. Petya, like other ransomware variants, encrypts files and makes users pay to get them back.

GoldenEye goes one step further, however: It encrypts files and NTFS structures, meaning infected computers won't even boot up. They simply load a notice of infection and instructions on how to pay the ransomers.
Where GoldenEye/Petya has been discovered

This latest attack, much like WannaCry, has hit some major targets: 
Maersk (Danish energy and transportation company) 
Rosneft (Russian oil company) 
The Kiev metro system (Ukraine) 
Chernobyl's radiation monitoring system (Ukraine) 
Boryspil airport (Ukraine) 
National Bank of Ukraine 
DLA Piper (British law firm) 
WPP (British advertising and PR firm) 
Merck (US pharmaceutical company) 

This is a preliminary list that is likely to grow, but it reveals the global scale of the outbreak even in this early stage.
Lesson not learned

Bitdefender says it isn't sure how the GoldenEye/Petya is originating, but it does know how it's getting in: Through the EternalBlue exploit used by WannaCry.

That was around a month ago, and here we are right in the middle of the second coming.

There isn't a lot of room for security leaders to wiggle out of responsibility for this outbreak. If the vulnerabilities exploited by WannaCry were patched, as Microsoft took fairly extreme measures to do, GoldenEye/Petya would have been a footnote instead of a headline.

Instead we're reeling from a ransomware attack that has compromised the ability of Ukrainian officials to monitor radiation levels at Chernobyl, disrupted banks, and even crippled US businesses.

The Bitcoin wallet indicated as the pay recipient for the attackers is sitting at nearly $7,000 from 27 transactions at the time this article was published, pointing to another reason ransomware attacks will continue: Companies are paying out. Some are even stockpiling Bitcoins to pay for future infections.

The message of "take cybersecurity seriously" simply doesn't seem to be getting across. If two back-to-back global ransomware outbreaks—ones that use the same method of infection, no less—aren't enough to stress the importance of security, we have to wonder what is.
The three big takeaways for TechRepublic readers: 
A new ransomware outbreak is striking computers around the world, though most heavily in Ukraine. 
The attack is a clone of the GoldenEye variant of the Petya family of ransomware, which uses the same method of infection as WannaCry. 
Attackers have already received nearly $7,000 in ransom payments.

No comments: