UPDATED: Is this Cyber War? Ransomware Attack Hits Banks, Transport, Government in Ukraine

In-brief: Fast spreading ransomware dubbed Petya has crippled parts of Ukraine and hit companies in The Netherlands, France, Russia and Spain. It appears to be spreading using a combination of software exploit and stolen passwords.

UPDATE: A possible source for the outbreak of the Petya ransomware has been identified as a malicious update for accounting software by the firm MEDoc, a Kiev based software company whose products are used by banks in Ukraine and other countries. MEDoc posted a message on its web site Tuesday warning customers that “our servers made a virus attack.” The security firm ESET said in a blog post Tuesday that the company’s researchers identified the malicious update as “the point from which this global epidemic has all started.” Several MEDoc customers executed “a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world.” PFR June 27, 2017 23:30 IDT

Tel Aviv, Israel — A fast-spreading attack involving so-called “ransomware” has crippled critical services in Ukraine and appears to be spreading to other countries, as well, including the U.S., Spain, France and The Netherlands, according to published reports and statements by officials and security experts.

Ukraine’s national bank, state power company and largest airport were affected by malicious software tentatively identified as ransomware known as “Petya” or “Petwrap” has rendered useless computers used for everything from buying subway tickets to running grocery checkout lines in the Ukraine. The infection appears to have also hit the companies outside the Ukraine as well, including The Netherlands, where Danish shipping giant Mearsk appears to have been affected, as well as Russia, Spain and France, according to published reports. Infected computers display an error message and a screen asking for payment of $300 in bitcoin. 

Companies in the United States weren’t immune to the attack either, with the New York Times reporting that pharmaceutical giant Merck and multinational law firm DLA Piper also had their networks attacked.

Ukraine appears to have been hit particularly hard. The Cabinet of Ministers in Ukraine had their computers infected with the virus, which encrypts a key Windows file that prevents the system from booting. Reports from the country depict scenes of chaos, with bank automated teller machines prevented from distributing cash, the Kiev metro unable to issue tickets and passengers stranded at Kiev’s Borispol international airport. It comes amid increased tension between that country and its neighbor, Russia. Also on Tuesday, an explosion in Kiev killed a senior Ukrainian military official.  

A Twitter message from Rozenko Pavlo, Ukraine’s Vice Prime Minister, show Ukraine government computers frozen by the malware.  We also have a network “‘down’,” he wrote. “This image is being displayed by all computers of the government.”

The outbreak began early in the day Tuesday and began spreading rapidly. A report on the website of Russian outlet Pravda lists The Central Bank of Ukraine  and energy companies Ukrenergo and Kyivenergo as affected. Problems were also reported at Mondelēz International, Oschadbank, Mars, Nova Pochta, Nivea, TESA and other companies. Russian oil giant Group IB was hit with the malware, Reuters reported. Ukraine’s National Bank posted a warning to other banks about the attack on its website on Tuesday.

The attack bears many similarities to WannaCry, a virulent piece of ransomware that affected scores of hospitals in the UK and elsewhere in May before being disabled within hours due to a flaw in the ransomware’s code. However, experts warned that the attack–which relied on an exploit dubbed “EternalBlue” that was taken from leaked cyber offensive tools created by U.S. intelligence–could have been much worse had that flaw not been discovered and halted.  The attack Tuesday appears to have confirmed those fears.

Analysis of Petya by researchers at Kaspersky Lab concluded that it is a powerful program with a “rather flawless cryptographic algorithm that is hard to break.” Petya has been around since early 2016; it is primarily delivered via phishing attack, Allan Liska, an intelligence analyst at Recorded Future told The Security Ledger. The program is “particularly nasty,” he said because it does not encrypt files. Instead, it overwrites the master book record of the infected computer, rendering it inoperable.

The malware may initially appear in a phishing email message. Once run on one computer, however, it spreads quickly to others in a worm-like fashion, most likely using the same EternalBlue vulnerability that WannaCry used last month, Recorded Future said.

However, Liska said the malware may be spreading by other means as well. Recorded Future confirmed that the malware spreading worldwide contains a password stealing component known as Loki Bot as well as the Windows Management Instrumentation Command Line tool (or WMIC), a common tool that allows administrators to issue commands to other Windows computers on a network.

“In places that it can’t use the EternalBlue exploit it is using local credentials to spread by jumping from box to box,” Liska said.

In theory, infected systems can recover from infections. Liska’s firm has been monitoring Bitcoin wallets and has seen 12 companies pay the ransom following the latest attacks. It will soon become clear whether paying the ransom allows companies to restore infected systems, he said.

“While the computer is completely inoperable because of the Petya ransomware, the attackers have full access to the usernames and passwords stolen from the computer,” he said. Liska said his firm was still gathering information on this attack, though “at first glance it appears to be very sophisticated and multi-pronged,” he said.

The attack and the associated disruption is just the latest to target Ukraine, which has seen both private and public sector organizations targeted by almost constant attacks. Hacks of the country’s electrical grid led to blackouts in December 2015 and 2016. Both attacks are believed to be the work of Russia and affiliated groups.

The attacks come at a delicate time, as Western leaders have made increasingly strong worded warnings to Russia about cyber intrusions against their country. Speaking in Tel Aviv on Monday, Tom Bossert, Homeland Security Advisor to U.S. President Donald Trump, cited the need for stronger deterrence to prevent provocations. “We have to get serious about a deterrent strategy,” he said. “The stakes are too high not to.”

Comments are closed.