The recent attack by Petya ransomware is another warning to organizations about the possible catastrophe of vulnerabilities. Petya Ransomware is spreading fast with Ukraine being the worst hit country in last 24 hours. It uses the same exploit, which WannaCry had used to propagate itself and has created havoc in the recent past. Microsoft patches for Ransomware attacks have been a critical remedy way back in March 2017, but many organizations missed updating their OS and network.
The Exploits and Infection Routines
Eternal Blue was the exploit which was used by WannaCry and uses the SMB protocol vulnerability to propagate throughout the network. However, Petya Ransomware not just encrypts the files but after encrypting them, tries to encrypt the MBR too. Effectively rendering the infected systems un-bootable. According to the findings, Petya was pushed through an update for MeDoc financial software used mostly by organizations in Ukraine.
Its highly unusual for a Ransomware to initiate an infection chain by piggy-backing on a third-party software, rather than initiating its infection via the spam/phishing mails. Throughout the history of Ransomware, we have observed spam mails being the favorite medium for transportation. It is observed that the Petya is more of a targeted attack rather than a ransomware attack.”
The Impact
In India, “The (shipping) ministry has confirmed that one terminal at JNPT has been affected due to the attack at Maersk’s Hague office,” an official said.
Due to this attack, the operations at JNPT’s GTI (Gateway Terminals India) have come to a standstill. However, this seems to be an isolated incident within India and the impact on India seems to be very limited. Last month’s WannaCry’s attack had forced numerous organizations to implement the patches released by Microsoft. Although there might exist some organizations that are still lagging behind.
There have been reports of two more organizations having their presence in India viz. Beiersdorf AG and Reckitt Benckiser were affected by the Ransomware attack.
Monetization
Until now the Bitcoin address which is being used by Petya Ransomware has received 45 transactions worth 3.99009155 BTC equivalents to 10213.12 USD. However, the email-id which is being used to communicate with the criminals has been suspended by the German eMail Service Provider. Hence rendering all the efforts of getting the decryption key futile. Due to this, victims should detest from making any payments to the criminals.
Microsoft Patches for Petya Ransomware – Stay Safe
To stay safe from such attacks, all the organizations and users need to ensure that, the patches released by Microsoft have been updated or patched as per our previous blog-post.
Microsoft releases patches for exploits used by NSA’s hacking tools