New ran­somware at­tack ‘Nyetya’

Interview with Scott Manson, Cy­ber Se­cu­rity Leader for Mid­dle East and Turkey, Cisco

Kuwait Times - - TECHNOLOGY -

Cisco’s se­cu­rity re­search or­ga­ni­za­tion Ta­los’ ini­tial anal­y­sis of the global ran­somware worm at­tack that has af­fected mul­ti­ple or­ga­ni­za­tions world­wide points to the at­tack start­ing in the Ukraine, pos­si­bly from soft­ware up­date sys­tems for a Ukrainian tax ac­count­ing pack­age called MeDoc. This ap­pears to have been con­firmed by MeDoc it­self. MeDoc is a widely used tax soft­ware used by many or­ga­ni­za­tions in or do­ing busi­ness with Ukraine. There have been other re­ports of this at­tack ap­pear­ing in France, Den­mark, Spain, the UK, Rus­sia and the US.

Once this ran­somware en­ters your sys­tem, it uses three ways to spread au­to­mat­i­cally around a net­work, one of which is the known Eter­nal Blue vul­ner­a­bil­ity, sim­i­lar to how last month’s Wan­naCry at­tack un­folded. What’s clear from this, and re­cent at­tacks, is that or­ga­ni­za­tions must pri­or­i­tize patch­ing sys­tems to lower their risk pro­file. We have to patch as quickly as we can. In ad­di­tion, mak­ing back-ups of key data is a fun­da­men­tal of any se­cu­rity pro­gram.

Q: What can you tell us about the at­tack?

A: To­day we saw our se­cond ever ran­somware worm, com­ing on the heels of Wan­naCry last month. This ran­somware out­break has af­fected mul­ti­ple or­ga­ni­za­tions in sev­eral coun­tries to­day, Cisco’s se­cu­rity re­search or­gan­i­sa­tion Ta­los is ac­tively in­ves­ti­gat­ing this new mal­ware vari­ant. This new ran­somware vari­ant en­crypts the master boot record (MBR) of a sys­tem. Think of the MBR as the ta­ble of con­tents for your hard drive - clearly very im­por­tant.

Ta­los’ ini­tial anal­y­sis points to the at­tack start­ing in the Ukraine, pos­si­bly from soft­ware up­date sys­tems for a Ukrainian tax ac­count­ing pack­age called MeDoc. This ap­pears to have been con­firmed by MeDoc it­self. MeDoc is widely used tax soft­ware used by many or­gan­i­sa­tions in or do­ing busi­ness with Ukraine. There have been other re­ports of this at­tack ap­pear­ing in France, Den­mark, Spain, the UK, Rus­sia and the US. Once this ran­somware en­ters your sys­tem, it uses three ways to spread au­to­mat­i­cally around a net­work, one of which is the known Eter­nal Blue vul­ner­a­bil­ity, sim­i­lar to how last month’s Wan­naCry at­tack un­folded. Q: What is ran­somware? A: A type of mal­ware that locks down your com­puter/sys­tem and takes con­trol/en­crypts your data and de­mands a ran­som Q: What is bit­coin? A: A crypto cur­rency used on­line. Bit­coin is not con­trolled by any one gov­ern­ment or state be­cause it al­lows anonymity and is ideal for at­tack­ers.

Q: Do we know which or­ga­ni­za­tions were im­pacted?

A: Re­ported vic­tims so far in­clude Ukrainian in­fra­struc­ture like power com­pa­nies, air­ports, pub­lic tran­sit, and the cen­tral bank, as well as Dan­ish ship­ping com­pany Maersk, phar­ma­ceu­ti­cal com­pany Merck, the Rus­sian oil gi­ant Ros­noft, and in­sti­tu­tions in In­dia, Spain, France, the United King­dom, and beyond. Q: How did this at­tack start? A: Cisco’s se­cu­rity re­search or­ga­ni­za­tion Ta­los’ ini­tial anal­y­sis points to the at­tack start­ing in the Ukraine, pos­si­bly from soft­ware up­date sys­tems for a Ukrainian tax ac­count­ing pack­age called MeDoc. This ap­pears to have been con­firmed by MeDoc it­self. MeDoc is a widely used tax soft­ware used by many or­ga­ni­za­tions in or do­ing busi­ness with Ukraine. Q: How is it spread­ing? A: Once this ran­somware en­ters your sys­tem, it uses three ways to spread au­to­mat­i­cally around a net­work, one of which is the known Eter­nal Blue vul­ner­a­bil­ity, sim­i­lar to how last month’s Wan­naCry at­tack un­folded.

Q: How is this dif­fer­ent to Wan­naCry? Is there a ‘kill­switch’ for this at­tack?

A: This ran­somware doesn’t seem to in­cor­po­rate the errors that hin­dered Wan­naCry from spread­ing. Specif­i­cally, this at­tack doesn’t seem to have a kill switch func­tion. It is also harder to de­tect since it moves within a net­work. It is not scan­ning of the in­ter­net like Wan­naCry did. Q: Who is re­spon­si­ble for this at­tack? A: At­tri­bu­tion is dif­fi­cult in at­tacks like this. Cisco is fo­cused on un­der­stand­ing the at­tack and pro­tect­ing our cus­tomers.

Q: What is Cisco’s rec­om­men­da­tion for cus­tomers to pro­tect against this?

A: En­sure your or­ga­ni­za­tion is run­ning an ac­tively sup­ported op­er­at­ing sys­tem that re­ceives se­cu­rity up­dates. Have ef­fec­tive patch man­age­ment that de­ploys se­cu­rity up­dates to end­points and other crit­i­cal parts of your in­fra­struc­ture in a timely man­ner. Run an­ti­mal­ware soft­ware on your sys­tem and en­sure you reg­u­larly re­ceive mal­ware sig­na­ture up­dates. Im­ple­ment a dis­as­ter re­cov­ery plan that in­cludes back­ing up and restor­ing data from de­vices that are kept off­line. Ad­ver­saries fre­quently tar­get backup mech­a­nisms to limit the pos­si­bil­i­ties a user may be able to re­store their files with­out pay­ing the ran­som. If vul­ner­a­bil­i­ties aren’t patched, an or­gan­i­sa­tion will con­tinue to be at risk for in­fec­tion by this ran­somware.

Scott Manson

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.