It’s déjà vu all over again as the aggressive Petrwrap global ransomware outbreak causes new headaches in Australia and abroad – and the global security community again excoriates businesses for poor patching and remediation strategies that make them sitting ducks for ransomware perpetrators.
The emergence overnight of a new ransomware strain that exploits the same EternalBlue vulnerability as May’s WannaCry outbreak – but is more carefully written to ensure that it can’t be as easily disabled – has already chalked up a tier-one list of victims.
Ukranian and Russian targets have been particularly named, with suggestions the outbreak emerged from a poisoned update for the MeDoc software suite popular amongst Ukranian businesses. As it spread, it has amassed a growing list of victims including Merck, TNT Express, AP Moller-Maersk, WPP, and Australian divisions of DLA Piper and chocolate manufacturer Cadbury.
Ransomware attack comes to Tasmania. This is what Cadbury's Hobart computers look like since 9:30pm #ransomware pic.twitter.com/tZIC16oQNHAffected Australian businesses were warning employees not to turn on their computers in the morning in hopes of containing the code, which is related to the Petya ransomware family and can encrypt an entire drive by infecting the master boot record – or otherwise just encrypt accessible files.
— Leon Compton (@LeonCompton) June 27, 2017
The “dangerous” combination of the EternalBlue exploit, and the use of PsExec for spreading within the network, “may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched,” ESET senior research fellow Nick FitzGerald said in a statement.
“It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”
IBM’s X-Force Command Center was “activated and working across the security community to determine the true cause and identify recommended actions,” the company said in a statement that noted the firm’s security specialists had identified “at least three samples we believe are updated Petya variants” (IBM is tracking its ongoing findings through the X-Force Exchange Collection).
The situation became more complicated after the email provider for the Bitcoin wallet mentioned in the ransomware, reportedly shut down the account – preventing victims from being able to pay the ransom. This will leave many victims with encrypted files and no way to recover beyond their own backups.
It’s one thing to be hit by a zero-day attack that targets previously unknown vulnerabilities, but – particularly given the post-WannaCry warnings that the worst was yet to come – businesses have run out of excuses for being hit by well-known exploits that have known and widely-available resolutions.
“If we do not invest in the cybersecurity of our critical infrastructure we will continue to see massive attacks with economic, employee and public safety ramifications,” Matt Moynahan, CEO of Forcepoint – one of several security firms pointing out that its tools have been detecting and blocking Petya and other new ransomware – said in a statement as its Forcepoint Security Labs team continued to contribute its findings about the code.
“From the government to the boardroom, leaders need to make cyber resiliency a requirement, putting focus and funding behind it. If we do not treat cyber-crime more seriously, attacks like WannaCry and Petya will start to feel even more commonplace than they already do.”
Yet this advice – coming from Gartner and others – is all looking quite similar as vendors continue to emphasise the importance of basic security practices such as those outlined in the Australian Signals Directorate’s Essential Eight protections.
Despite a wealth of guidance about how to avoid a repeat of WannaCry, however, many businesses are struggling to heed advice about regular patching and ransomware management. Many businesses develop incident response plans that lay unused and even untested, while most fail to heed advice such as mobilising dedicated teams of patching specialists to quickly deal with new outbreaks.
The ease with which systems are continuing to be compromised is driving many vendors to explore new ways of defending systems against the obviously anomalous behaviour of ransomware attacks. One German project has been exploring ways of blocking exploits without patching, while McAfee has been pushing a vision of ‘virtual patching’ that it says can help avoid the massive amount of time and money necessary to keep on top of threats such as EternalBlue.