The second global scale malware attack in two months — Petya — that has crippled some of the largest corporations in the world is being pegged to be based on the same government surveillance tool, which was at the heart of its predecessor Wannacry that affected nearly 3,00,000 systems globally, including several in India. While Petya’s impact so far has been limited in India when compared with countries like Ukraine, Russia, and the US, experts suggest that what started with Wannacry could be used as an effective model by cyber-criminals going ahead.
“These warnings have now become a reality that businesses will have to contend with for years to come. Wannacry proved a viable business model for criminals. Ransomware that spreads like a worm through a network could hold much of an organisation’s data hostage, demanding cash delivered in the form of Bitcoin in return for relief,” security software firm F-Secure Labs said in a blog-post.
Soon after reports of large companies such as AP Moller-Maersk, Ukrainian power distributor Ukrenergo, confectionery manufacturer Mondelez among others being affected by Petya, surfaced, the Indian-Computer Emergency Response Team (CERT-In) issued an advisory suggesting users and organisations not to open attachments in unsolicited e-mails, “even if they come from people in your contact list”, and to never click on a URL contained in an unsolicited e-mail, “even if the link seems benign”.
According to F-Secure’s chief research officer Mikko Hypponen, 65 file extensions have been identified, which Petya encrypts, demanding a $300 ransom. These include some of the very commonly used file types such as .doc, .docx, .pdf, .ppt, .pptx, .xls, .xlsx, .zip, .rar, among others. CERT-In has also suggested blocking the attachments of several file types such as: exe, pif, tmp, url, vb, vbe, scr, reg, cer, pst, cmd, com, bat, dll, dat, hlp, hta, js, and wsf.
Cyber-security software vendor Symantec, which ranked India seventh in the list of countries with most number of organisations affected by Petya, said that while the exact target of the attack was unclear, it was indicative that organisations in Ukraine were the initial targets considering that the infection software was used solely in Ukraine in the beginning.
Another cyber security firm, Paladion Networks has pointed out that industries such as harbour terminals, airports, electricity grids, banks, factories, mining and steel, insurance companies, pharmaceutical, among others were the targets of this cyber-attack. Considering the nature of these targets, CERT-In, on Wednesday, alerted the National Critical Information Infrastructure Protection Centre (NCIIPC), and requested it to inform its constituents for taking appropriate measures.
Paladion Networks also said that security researchers have identified something similar to a “kill-switch”. “It mostly appeared as a vaccine as it cannot be used centrally (by registering as a domain) to stop the spread across the globe. Its utility is limited to the local system. By creating a read-only file under C:\Windows\ using the name “perfc”, it is possible to stop the encryption with the current version of NotPetya,” it said.
Even though this ransomware, as suggested by the name, seeks ransom, most software security experts, and even CERT-In have advised individuals and organisations to refrain from paying the ransom as it would not guarantee restoration of access to the files that have been encrypted. Apart from all these steps, CERT-In recommends, as was in the case of Wannacry, that all operating systems, third-party softwares, and anti-virus softwares should be kept up to date, as their publishers regularly introduce patches to plug security loopholes. “This is what Wannacry looks like in the big leagues,” said Sean Sullivan, security advisor at F-Secure. “Amateurs infected a lot of people last time. This time these guys want to cash in.”