Wednesday, June 28, 2017

Petya more vicious than WannaCry, but Singapore impact still uncertain


The latest Petya ransomware has been described to be more vicious than its predecessor, but its impact in Singapore remains largely uncertain for now as there have been no reports of major disruptions.

Singapore Computer Emergency Response Team (SingCERT) issued an advisory Wednesday warning local businesses and users that Petya, though inspired by WannaCry, was "more dangerous and intrusive".

"Its behaviour is to encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom boot-loader to display a ransom note and prevents victims from booting up," SingCERT said.

In a nutshell, Petya not only encrypts targeted files, it also locks up the entire hard drive using some of the most advanced cryptographic algorithms to gain control of the master reboot sector, stopping the computer from loading the OS.

SingCERT added that the ransomware included a Server Message Block (SMB) exploit and spread via email, masquerading in Microsoft Office documents, which would run the Petya installer when opened and execute the SMB worm.

It said various versions of Microsoft Windows were thought to be vulnerable included Windows 10, Windows 8.1, and Windows Server 2016.

SingCERT's advisory echoed that of data protection and cybersecurity vendors, including Acronis which said banks, MNCs, and critical infrastructure owners in Singapore would be primary targets of the ransomware. When asked, however, it said it was unaware of any local organisation that had been affected by Petya.

Eugene Aseev, Acronis' head of research and development in Singapore, explained: "The Petya ransomware is more dangerous than Wannacry primarily because it infects to patched-up systems, whereas Wannacry targeted un-patched systems.

"Petya also impacts the MBR, which means the computer is compromised even before Windows can be loaded. It also attempts to steal the user's credentials from the infected machines and uses these credentials to further infect other machines that share similar credentials," Aseev said.

He said companies affected by the ransomware would be able to restore their systems if they had an image-level backup, but would need to reinstall their OSes if they only had file-level backup to retrieve their files.

And because they would lose their configuration and software settings, their recovery time would be longer.

Sanjay Aurora, Darktrace's Asia-pacific managing director, said the attack had caught many organisations worldwide off-guard, despite the "enormous wakeup call" WannaCry triggered. He said traditional security defences that focused on known attacks were no longer effective, and championed the need for artificial intelligence (AI) tools to identify cyberattacks. Aurora said this would buy security teams time to respond to ongoing attacks.

According to Ryan Flores, Trend Micro's Asia-Pacific senior manager of forward-looking threat research, some US$7,500 had been paid into the Bitcoin address used by the attackers.

Flores urged those affected not to fork out the ransom, adding that several organisations in Europe and Asia had been affected by the ransomware.

Production at Cadbury's famous chocolate factory in Tasmania, Australia, was forced to a stop late Tuesday after the company was hit by Petya. The site was owned by Spanish food operator, Mondelez, and produced some 50,000 tonnes of chocolate annually.

Global organisations reportedly affected by the ransomware included the National Bank of Ukraine, British advertising agency WPP, Danish transport company Maersk, and US pharmaceutical company Merck.



from Latest Topic for ZDNet in... http://ift.tt/2sPCP12

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.