For the second time in as many months, hackers today are unleashing a massive multinational ransomware attack that has crippled a host of networks across the western hemisphere.
The attack appears to have begun sometime Monday, with the hardest-hit targets comprised of Ukranian infrastructure, including power companies, airports, banks, state-run television stations, postal facilities and large industrial manufacturers.
Also affected were foreign operations of U.S. pharmaceutical firm Merck, advertising conglomerate WPP, French building materials vendor Saint-Gobain, Danish shipping giant AP Moller-Maersk and Pittsburgh, Penn.-based Heritage Valley Health Systems.
The as-yet-unidentified hackers appear to be demanding payments of $300 (USD), and as of midday on the east coast of North America, the attack was said to still be spreading.
“The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016,” Phil Richards, chief information security officear for IT services firm Ivanti - formerly LANDESK - said in a statement. “The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017.”
“The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record,” he added. “The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software.
“This is a great example of two malware components coming together to generate more pernicious and resilient malware.”
Early last month, a similar ransomware campaign - also using the EternalBlue exploit purportedly stolen from the NSA’s cyber weapons toolkit - resulted in more than 200,000 attacks across 150 countries.
That attack, dubbed WannaCry, also involved demands for $300 in bitcoin digital currency.
“This is the same EternalBlue exploit that WannaCry used,” said Allan Liska, a cyber security analyst at threat intelligence software vendor Recorded Future. “It also has a secondary capability: There’s an information stealer that is bundled in this attack.”
“In addition to doing the ransomware, it’s also stealing credentials,” he went on. “If it can’t use the EternalBlue, it’s taking the stolen credentials from that box and jumping to another box in the network to try to copy the ransomware over that way.”
Liska, co-author of the November 2016 book “Ransomware: Defending Against Digital Extortion,” said the new attack reflects a series of sophisticated improvements to the malware used last time.
“Last month was just the EternalBlue,” he said. “This is the attack where all the security experts last time were saying ‘good thing they didn’t do that.’”
“This is the stuff that WannaCry left off,” Liska continued. “It’s added additional capabilities and made it much easier to spread around networks – even those that are fully patched.”
For IT managed services providers (MSPs), protecting clients still largely boils down to a thorough and consistent patching regimen, and user education.
Also, Liska recommends locking down systems to prevent the running of administrative commands from too many workstations.
“Those should be locally locked down,” he said. “As an MSP, that’s where you can help their customers architect their networks to be more secure.
“We need to start teaching system admins that if you need to run those commands, do them from your desktop and target to workstations that you’re troubleshooting.”
As with WannaCry, Liska expects this attack to diminish in scope and intensity during the coming days, with only occasional flare-ups of the malware popping up from time to time.
“That’s the problem with the worm,” he said. “We’re still seeing WannaCry running around but we’re seeing less and less of that. That’s what I think will happen here.”