A new global ransomware outbreak, which picked up the name Petya or NotPetya, hit companies across the world in June and the consequences of the attack are still surfacing.
Reckitt Benckiser, the company which develops household items such as Nurofen and Dettol, has said that the cyber attack could lead to a permanent loss of revenue.
The attack affected its manufacturing and ordering systems, which though was “largely contained”, is likely to mean like-for-like revenue growth in the second quarter would be down two percent.
In a statement, the company said:
Some of our factories are currently still not operating normally but plans are in place to return to full operation. The continued production difficulties in some factories mean that we also expect to lose some further revenue permanently.
Reckitt Benckiser’s shares were down more than two percent in initial trading on Thursday.
What was the Petya attack?
The attack that took place last week was similar to the WannaCry outbreak that took place in May, as the computer systems appear to be locked down with the ransomware around the world, and messages are appearing demanding $300 worth in bitcoin.
Over 300,000 computers were infected by the WannaCry malware, which also took down 46 NHS England Trusts.
According to a picture posted Twitter on the malware, the message says:
If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.
Travis Farral, director of security strategy at Anomali, said:
This is a global attack. Just like WannaCry, organisations are locked out of their networks and a fee demanded to decrypt files, and could also be leveraging the same EternalBlue vulnerability, which attacks SMB file-sharing services.
Matthias Ollig, chief technology officer at German security company Avira, said:
We were surprised to see that after the WannaCry debacle, there are still so many machines without the latest Windows security updates connected to the internet – especially in critical environments.
Here is where the Petya malware hit last week
1. DLA Piper: The global law firm has seen the hackers hit its officers in Madrid and Washington DC.
2. Evraz: The Russian steelmaker is one of a handful of Russian companies that have been affected.
3. Maersk: The global shipping company confirmed that its IT systems had been taken down due to a cyber attack on Twitter.
4. Rosneft: Russia’s main oil producer has said its servers have been hit in the attack but its oil production is unaffected.
5. WPP: The London-based advertising giant also tweeted that its IT systems in several of its companies were affected.
Louis Rynsard, director of reputation and strategy at the corporate comms agency SBC London said that 20p of WPP’s share’s price has been wiped off after the attack.
After the initial cyber attack and loss of data, or control of systems, comes the loss of reputation. The long-lasting impact of a cyber attack cannot be overstated. You cannot avoid an attack, but you can and must have a plan in place for when the worst happens.
6. The Chernobyl nuclear power: According to reports in local media some computers at the power plant — which is currently under decommissioning after the explosion at reactor number four in 1986 — were infected by the virus.
7. Merck & Co: The pharmaceutical company confirmed that its network had been affected and it was investigating the hack on Twitter.
8. Saint Gobain: A French construction materials company said it was a victim of the attack and it was working to isolate its computer systems to protect data.
9. TNT Express: Another shipping company, this one based in the Netherlands. It said it had experienced interference with some of its systems following the global attack.
10. Deutsche Post: The German postal and logistics company said systems in its Ukraine division had been affected by the attack.
After making its way through Europe yesterday, Petya turned its focus on the US, South America, and Asia. A terminal operated by Maersk at the Jawaharlal Nehru Port Trust, India’s biggest container port, was brought to a standstill because of the attack. It has started to China, but there have been no reports of a large-scale outbreak so far.
As well as companies, it appears that the malware has infected the Ukrainian government and Kiev’s airport.
The UK parliament was hit by a separate cyber attack this weekend, which is thought to have been a state-sponsored attack.
What is the malware?
Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard that it is a ransomware strain known as Petya or Petrwrap.
This is similar to WannaCry as it encrypts the files on a user’s system and says it will return access in exchange for bitcoin.
As well, both malwares take advantage of the EternalBlue exploit, generally believed to have been developed by the US’s National Security Agency (NSA).
Farral explained the EternalBlue exploit to Verdict, saying:
It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack. It exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. Microsoft has released patches in a security bulletin it issued 14th March 2017, MS17-010, which detailed the flaw and announced a patch for all Windows versions that were currently supported at that time. But many organisations have not implemented this, leaving them vulnerable.
The Mircosoft patch was released prior to WannaCry hack that took place at the end of May. If companies still hadn’t updated this patch after that attack, then it appears they are still vulnerable and could be targeted by Petya.
According to Ollig, computers impacted by Petya were primarily older Windows systems, such as Windows 7 and 8.
But what is different about malware like WannaCry and Petya is it’s not a phishing attack where users need to open an email and then the computer becomes infected.
Petya is using a network exploit, the end users does not need to open or click anything – the machine just gets infected without any user interaction.
How did it spread?
It is thought that the malware might have been spread by accident by a Ukrainian tax software company, named MeDoc.
According to an independent security analyst Jonathan Nichols, a vulnerability in the update servers of MeDoc could have lead to the malware being spread as an infected update.
At the moment it’s not clear if this particular vulnerability was used by the Petya attackers, but the fact that it was present means the system was pretty accessible.
MeDoc’s weak spots were well known too, it appears.
The head of Ukraine’s national cyber police unit, Serhiy Demydiuk, told the Associated Press that the company’s employees had ignored warnings in the past about the security of their IT infrastructure.
They knew abut it. They were told many times by various anti-virus firms … For this neglect the people in this case will face criminal responsibility.
Did the hackers make much money?
The WannaCry hackers have managed to make $122,167.90 according to Elliptic’s tracker.
If you’re interested in how much Petya is making, someone has created a Twitter bot which is tracking its bitcoin wallet.
— petya_payments (@petya_payments) June 28, 2017
According to the bot, payments have reached over $9,000 in total after the first day of the attack.
Who is responsible for the hack?
Ukrainian authorities have blamed Russia for being behind the hack, although Moscow has denied any connections.
However, Nato researchers believe the malware was almost definitely an attack from a state actor and could be considered a potential act of war.
According to the alliance’s researchers, “NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state”. This is because the attack was pretty sophisticated and fairly expensive to carry out – the $300 bitcoin demand from each computer would “probably not even cover the cost of the operation”, which means cyber criminals were ruled out.
Last week, the alliance’s secretary-general said that a cyber operation with consequences compared to an armed attack can trigger Article 5, the mutual defence clause of the Nato treaty.
The clause states that if Article 5 is triggered as a result of an attack on one member, the other member states are required to join allowing the states affected tp respond with “military means”.
This implies that Nato is starting to view acts like Petya and the previous WannaCry attack as potential acts of war.
Lauri Lindstrom, a researcher at Nato’s Cooperative Cyber Defence Centre of Excellence Strategy Branch, said:
NotPetya is a sign that after WannaCry, yet another actor has exploited vulnerability exposed by the Shadow Brokers. Furthermore, it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power – demonstration of the acquired disruptive capability and readiness to use it.
Another interesting point is that Nato believes that whoever deployed the malware wasn’t concerned about the money as this part of the operation was botched.
There was only one email address provided to send proof of payment too and this address was promptly blocked, making it difficult to track who paid and who to deploy the encryption key to unlock the software to.
Nato’s security researchers said:
Most reports conclude that the ransom demand was only a ruse, and that the real aim of the operation was causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power.
What can companies learn from malware attacks like this?
After the recent WannaCry attack, the hacking of parliament this week, and the Russian hacking of the US presidential election last year, cyber attacks are becoming part of everyday life.
David Matthews, EMEA security industry director at security company Unisys, said this incident shows that no organisation is immune to attacks.
The latest ransomware attack – Petrwrap or Petya, is evidence of the vigilance necessary to safeguard our information, critical systems, and financial data. While confined to Europe, at this stage, it may be the start of a wider and more comprehensive threat vector, sparking requests to ensure that companies keep sufficient data back-up and use effective security controls as well as ensure software is patched effectively. This fast-spreading infection has highlighted the limitations of the perimeter security model: when attackers penetrate a vulnerable device they use that to move laterally within the enterprise. This recent attack proves that no organisation is immune to cyber-attacks, and further outlines the need for organisations to adopt defence and in-depth policies that allow breach detection and action to take place much quicker, protecting both sensitive data and business reputation.
The exact measures organisations can implement to mitigate risk depends on the kind of system being protected but there are fundamental actions such as backing up data in the Cloud and on an external hard drive, updating system and patch vulnerabilities, and ensuring everyone is watching where they click.
Quite simply, make sure the network is secure, and all updates are fully installed.
Updating and patching software is more than a convenience. It is an essential element in online security as the average computer contains a wide range of applications requiring hundreds of updates and patches each year. While some updates are automatic, many require users to search and directly download the needed updates. However, many people are annoyed by popups and unsure of the proper update regime, so they do not update regularly –– and this puts them and their computers at risk.
By ensuring network users regularly update their security software, this will go some way to mitigating the effects of attacks such as these.