The malicious program demanded a payment to unlock files it scrambled on infected machines.

However, a growing number of researchers now believe the program was launched just to destroy data.

Experts point to “aggressive” features of the malware that make it impossible to retrieve key files.

Cashing out

Matt Suiche, from security firm Comae, described the variant as a “wiper” rather than straight-forward ransomware.

“The goal of a wiper is to destroy and damage,” he wrote, adding that the ransomware aspect of the program was a lure to generate media interest.

Although the Petya variant that struck this week has superficial similarities to the original virus, it differs in that it deliberately overwrites important computer files rather than just encrypting them, he said.

Mr Suiche wrote: “2016 Petya modifies the disk in a way where it can actually revert its changes, whereas, 2017 Petya does permanent and irreversible damages to the disk.”

Anton Ivanov and Orkhan Mamedov from Russian security firm Kaspersky Lab agreed that the program was built to destroy rather than generate funds.

“It appears it was designed as a wiper pretending to be ransomware,” they said.

Their analysis of the malware revealed that it had no way to generate a usable key to decrypt data.

“This is the worst case news for the victims,” they said. “Even if they pay the ransom they will not get their data back.”

A veteran computer security researcher known as The Grugq said the “poor payment pipeline” associated with the variant lent more weight to the suspicion that it was more concerned with data destruction than cashing out.

“The real Petya was a criminal enterprise for making money,” he wrote. “This is definitely not designed to make money.”

The Bitcoin account associated with the malware has now received 45 payments from victims who have paid more than $10,000 (£7,785) into the digital wallet.

The email account through which victims are supposed to report that they have paid has been closed by the German firm hosting it – closing off the only supposed avenue of communication with the malware’s creators.

Remote controls

Organisations in more than 64 countries are now known to have fallen victim to the malicious program.

The latest to come forward is voice-recognition firm Nuance. In a statement it said”portions” of its internal network had been affected by the outbreak. It said it had taken measures to contain the the threat and was working with security firms to rid itself of the infection.

The initial infection vector seems to be software widely used in Ukraine to handle tax payments and about 75% of all infections caused by this Petya variant have been seen in the country.

A government spokesman for Ukraine blamed Russia for starting the attack.

“It’s difficult to imagine anyone else would want to do this,” Roman Boyarchuk, head of Ukraine’s cyber-protection centre told technology magazine Wired.

Computer security researcher Lesley Carhart said the malware hit hard because of the way it travelled once it evaded digital defences.

Ms Carhart said the malware abused remote Windows administration tools to spread quickly across internal company computer networks.

“I’m honestly a little surprised we haven’t seen worms taking advantage of these mechanisms so elegantly on a large scale until now,” she wrote.

Using these tools proved effective, she said, because few organisations police their use and, even if they did, acting quickly enough to thwart the malware would be difficult.

The success of the Petya variant would be likely to encourage others to copy it, she warned.

“Things are going to get worse and the attack landscape is going to deteriorate,” said Ms Carhart.

–

Source: BBC

The post Cyber-attack was about data and not money, say experts appeared first on Citi 97.3 FM - Relevant Radio. Always.

British advertising agency WPP is among those to say its IT systems have been disrupted as a consequence.

The virus, the source of which is not yet known, freezes the user’s computer until an untraceable ransom is paid in the digital Bitcoin currency.

Ukrainian firms, including the state power company and Kiev’s main airport, were among the first to report issues.

The Chernobyl nuclear power plant has also had to monitor radiation levels manually after its Windows-based sensors were shut down.

Interpol involvement

In a statement, the US National Security Council said government agencies were investigating the attack and that the US was “determined to hold those responsible accountable”.

The US Department of Homeland Security advised victims not to pay the ransom, saying there was no guarantee that access to files would be restored.

The Russian anti-virus firm Kaspersky Lab said its analysis showed that there had been about 2,000 attacks – most in Ukraine, Russia and Poland.

The international police organisation Interpol has said it was “closely monitoring” the situation and liaising with its member countries.

Experts suggest the malware is taking advantage of the same weaknesses used by the WannaCry attack last month.

“It initially appeared to be a variant of a piece of ransomware that emerged last year,” said computer scientist Prof Alan Woodward.

“The ransomware was called Petya and the updated version Petrwrap.

“However, now that’s not so clear.”

Kaspersky Lab reported that it believed the malware was a “new ransomware that has not been seen before” despite its resemblance to Petya.

As a result, the firm has dubbed it NotPetya. Kaspersky added that it had detected suspected attacks in Poland, Italy, Germany, France and the US in addition to the UK, Russia and Ukraine.

Andrei Barysevich, a spokesman for security firm Recorded Future, told the BBC such attacks would not stop because cyber-thieves found them too lucrative.

“A South Korean hosting firm just paid $1m to get their data back and that’s a huge incentive,” he said. “It’s the biggest incentive you could offer to a cyber-criminal.”

A bitcoin wallet associated with the outbreak has received several payments since the outbreak began. The wallet currently holds just over 3.5 bitcoins (£6,775; $8,670).

An email address associated with the blackmail attempt has been blocked by German independent email provider Posteo.

It means that the blackmailers have not been able to access the mailbox.

Problems have also affected:

• the Ukrainian central bank, the aircraft manufacturer Antonov, and two postal services
• Russia’s biggest oil producer, Rosneft
• Danish shipping company Maersk, including its container shipping, oil, gas and drilling operations. A port in Mumbai is among those that has halted operations
• a Pennsylvania hospital operator, Heritage Valley Health System, which reported its computer network was down, causing operations to be delayed – but it is not yet clear if it was subject to the same type of attack
• Spanish food giant Mondelez – whose brands include Oreo and Toblerone – according to the country’s media. A Cadbury factory in Tasmania, Australia is affected
• Netherlands-based shipping company TNT, which said some of its systems needed “remediation”
• French construction materials company St Gobain
• US pharmaceuticals-maker Merck
• The local offices of the law firm DLA Piper – a sign in the firm’s Washington DC office said: “Please remove all laptops from docking stations and keep turned off – no exceptions.”

The attacks come two months after another global ransomware assault, known as WannaCry, which caused major problems for the UK’s National Health Service.

Veteran security expert Chris Wysopal from Veracode said the malware seemed to be spreading via some of the same Windows code loopholes exploited by WannaCry. Many firms did not patch those holes because WannaCry was tackled so quickly, he added.

Those being caught out were also industrial firms that often struggled to apply software patches quickly.

“These organisations typically have a challenge patching all of their machines because so many systems cannot have down time,” he said. “Airports also have this challenge.”

Copies of the virus have been submitted to online testing systems that check if security software, particularly anti-virus systems, were able to spot and stop it.

“Only two vendors were able to detect it so many systems are defenceless if they are unpatched and relying on anti-virus,” he said.

Ukraine seems to have been particularly badly hit this time round.

Reports suggest that the Kiev metro system has stopped accepting payment cards while several chains of petrol stations have suspended operations.

Ukraine’s deputy prime minister has tweeted a picture appearing to show government systems have been affected.

His caption reads: “Ta-daaa! Network is down at the Cabinet of Minister’s secretariat.”

–

Source: BBC

The post Global ransomware attack causes turmoil appeared first on Citi 97.3 FM - Relevant Radio. Always.