A major cyber attack hit companies and governments in several nations on June 27. The virus attacked hard drives of computers running Microsoft Windows and announced that data had been encrypted. Users were asked to pay $300 in bitcoins to restore access.
Russia and Ukraine were the worst affected, and there were reports of disruptions in several countries in Europe and East Asia. Ukraine’s Prime Minister Volodymyr Hroysman stated that the country was hit by an ‘unprecedented’ cyberattack but assured that ‘vital systems’ were not affected.
One of the companies to be hit was Maersk, the world’s biggest shipping company.
Allan Liska, Intelligence Architect, Recorded Future,said, “This appears to be a multi-pronged attack that started with a phishing campaign targeting infrastructure in Ukraine. The payload of the phishing attack is twofold: an updated version of the Petya ransomware (older versions of Petya are well-known for their viciousness; rather than encrypt select files, Petya overwrote the master boot record on the victim machine, making it completely inoperable). There is some speculation that, like WannaCry, this attack is being spread using the EternalBlue exploit, which would explain why it is spreading so quickly (having reached targets in Spain and France in addition to Ukraine). Our threat intelligence also indicated that we are now starting to see US victims of this attack. There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking Trojan.It steals usernames and passwords as well as other personal data from the victim’s machine and sends it to a command and control host. This attack could not only make the victim’s machine inoperable, it could also steal valuable information.”
A spokesman for Microsoft said that the virus could spread through a flaw for which a patch was released in March this year. “We are continuing to investigate and will take appropriate action to protect customers,” the spokesperson added.
Phil Beckett, MD for Alvarez and Marsal’s Disputes and Investigations team, said, “The worrying thing is, this attack seems to be following the pattern and attack of the malware WannaCry, which wreaked devastation just a few weeks ago. For those who have been hacked, don’t sit back and wait for it to end, action can be taken. First, disconnect infected devices and shared drives from the network, as some ransomware looks to spread through connected drives. Next, find out what caused the incident in the first place and then initiate your Incident Response Plan. Whilst it may seem counterintuitive to be transparent during a crisis, let everyone in the business know immediately what has transpired, how it happened and what actions they should take. Knowledge is key in counteracting the spread of infection. Presuming you have backups available, the next step is to wipe the infected devices and load back-ups onto them, but if you do not have back-ups or a method of decrypting, seek expert and legal advice. Payment should never be the first reaction as data can be recovered.”
This is second major cyber attack in the last two months. Following a major cyber attack in May, governments and security firms had advised businesses and consumers to make sure that all their computers are updated with the latest Microsoft patches.
Beckett says, “These attacks emphasise how vital it is to be on the front foot and put digital security at the core of business strategy. Everyone checks the locks and takes out insurance to protect against theft; data should be no different.”
But cyber experts say companies are either not taking such attacks and advance warnings seriously or not investing in cyber security measures. They have reiterated that every precaution must be taken and systems must be updated with the latest security patches.
Mark Noctor, VP EMEA at Arxan Technologies, says, “The huge cyber attack unfolding in Ukraine and across the world demonstrates how important it is to protect all potential entry points against attack.
Some threat intelligence reports indicate that the banking trojan Loki Bot, which can infect native Android OS libraries, was used in the attack, demonstrating that everything from external firewalls to mobile apps and endpoints themselves are vulnerable to exploitation by high level attackers. Organisations making use of mobile apps, particularly in high risk areas such as banking and finance, must ensure they deploy advanced security measures, such as code hardening and debugger detection, to minimise the threat of apps being used to target core infrastructure.”
Beckett says, “For those firms who have not been hit, but want to prepare, the first step is to create back-ups of all critical assets, including the operating system, applications and data stores. These should not be stored in an unsecured environment – these files need to be air-gapped from the outside world and encrypted. Following this, simulations can help test the business’ digital framework and identify any weak spots. The basics shouldn’t be ignored and can often be key; for example: ensuring OS and applications are up-to-date and patched, endpoint protection is utilised and updated, and you know what to do if the worst happens!”