You don’t WannaCry again, do you?
dubai — Security experts are cautioning businesses to update their software and back up all the necessary files in the wake of another ransomware attack that has affected companies across the globe.
The latest ransomware attack called ‘Petya’ first appeared this morning and has been spreading around the world, mainly infecting businesses and government agencies and departments in Ukraine and Russia, but there have been increasing reports of businesses in other countries also being compromised, with reports filtering in from the US, UK, Germany, Switzerland, and Holland.
“The only reliable defence against the recent Petya Ransomware attacks, is backup,” says Nigel Tozer, solutions marketing director at Commvault. “Clearly the malicious forces behind this and other recent attacks, continue to be one step ahead of threat detection software, so if your systems and data is held to ransom the only true means of recovery is to be able to revert back to data from the last backup before the infection.”
“When files are encrypted and corrupted by a ransomware attack, cloud sync and share tools aren’t something you can rely on either, because the sync facility means cloud files are as infected as their originals. The other issue is that these cloud services, especially free or those targeted at consumers, typically don’t cover all of your data and may not always have retention policies that pre-date the attack.”
The best option, he says, to insure against data-mincing malware, is an in-house centrally managed backup solution. “Whilst reverting to the backup prior to the infection might mean losing a limited amount of data, it is nominal compared to the impact of losing all your data permanently.”
The malware itself appears to be a straightforward ransomware program. Once infected, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The program then instructs the user to pay the $300 ransom to a static Bitcoin address, then email the bitcoin wallet and personal ID to the email address, which is now blocked.
Steven Malone, director of security product management at Mimecast, noted that e-mail has traditionally been the primary attack route for ransomware. Attackers often send Microsoft Office documents and PDFs with malicious macros that download and install malware. Clever social engineering will trick employees into enabling the macros and delivering the ransomware payload.
“Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks and as this attack highlights, there are many ways for an infection to enter an organisation. It’s vital you regularly backup critical data and ensure that ransomware cannot spread to backup files. Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your back-up window is long enough to go back before any infection begins,” he said.
Becky Pinkard, vice-president of service delivery and intelligence operations at Digital Shadows, is warning businesses impacted by the attack not to pay the $300 bitcoin fee as Posteo administrators have disconnected the email address associated with paying the ransomware to get unlock keys for impacted systems.
“It means that if anyone paying the ransom to unencrypt their files tries to do so, the criminals who distributed the attack are unable to access the bitcoin account the ransom goes to; so they will not be able to release the keys for the encrypted files – even if they ever intended to do so,” she said.
Backup and recovery measures only work after an attack, and cost organisations in downtime and IT resources dealing with the attack and aftermath, he added. “You must be able to continue to operate during the infection period and recover quickly once the infection has been removed.”
— rohma@khaleejtimes.com
frankfurt/moscow — A major cyber attack, believed to have first struck Ukraine, caused havoc around the world on Wednesday, crippling computers or halting operations at port operator Maersk, a Cadbury chocolate plant in Australia and the property arm of French bank BNP Paribas.
Russia’s biggest oil company, Ukrainian banks and multinational firms were among those hit on Tuesday by the cyber extortion campaign, which has underscored growing concerns that businesses have failed to secure their networks from increasingly aggressive hackers.
The rapidly spreading computer worm appeared to be a variant of an existing ransomware family known as Petya which also has borrowed key features from last month’s ransomware attack, named “WannaCry”.
ESET, an anti-virus vendor based in Bratislava, said 80 percent of all infections from the new attack detected among its global customer base were in Ukraine, with Italy second hardest hit at around 10 percent. Several of the international firms hit had operations in Ukraine.
Shipping giant A.P. Moller-Maersk, which handles one in seven containers shipped worldwide and has a logistics unit in Ukraine, is not able to process new orders after being hit by the attack on Tuesday, it told Reuters.
“Right now, at this hour, we’re not able to take new orders,” Maersk Line Chief Commercial Officer Vincent Clerc said in a telephone interview on Wednesday.
Maersk’s APM Terminals unit, which operates 76 port and terminal facilities in 59 countries around the globe, is impacted at a number of sites, including the Port of New York and New Jersey, the largest port on the US East Coast, and Rotterdam in The Netherlands, Europe’s largest harbour.
A terminal operated by Maersk at the Jawaharlal Nehru Port Trust, a facility near Mumbai which is India’s biggest container port, was unable to load or unload because of the attack. With the Gateway Terminal India facility unable to identify which shipment belongs to whom, the port is clearing cargo manually, Chairman Anil Diggikar said in a phone interview. In a securities filing, Gujarat Pipavav Port, located about 175 miles northwest of JNPT, said it is also working to “limit the impact” at its site. Pipavav, which is also operated by APM Terminals, did not provide detail on the extent of the impact at its site, but a spokeswoman for APM said the port was “partially impacted”.
Maersk’s energy units, which include North Sea producer Maersk Oil, aren’t operationally affected.
Swiss container line MSC (Mediterranean Shipping Company) is working with vessel-sharing partner Maersk to find ways to share data after a cyber attack on the Danish company, MSC said. MSC said it was prepared to divert ships away from affected Maersk terminals.
“We are working together to find other means to transmit data between the two companies. This includes ... customs information,” MSC said in a statement, adding that it had not experienced any cyber attack on its own operations.
BNP Paribas Real Estate, which provides property and investment management services, confirmed it had been hit but declined to specify how widely it had affected its business.
It employed 3,472 staff at end of last year, with operations in 16 countries, and had €24 billion ($27.26 billion) in assets under management.
“The international cyber attack hit our non-bank subsidiary, Real Estate. The necessary measures have been taken to rapidly contain the attack,” the bank told Reuters on Wednesday, after a person familiar with the matter had said that some staff computers were blocked on Tuesday due to the incident.
WPP, the world’s biggest advertising agency, said it was still working with its IT partners to restore services hit by Petya.
“We are working with our IT partners and law enforcement agencies to take all appropriate precautionary measures, restore services where they have been disrupted, and keep the impact on clients, partners and our people to a minimum,” the company said in a statement.
“Our operations have not been uniformly affected, and issues are being addressed on a company-bycompany basis. Many of our businesses are experiencing no or minimal disruption.” — Reuters, Bloomberg