Massive ransomware attack named “Petya” has infected thousands of systems all over the world including Europe, Middle East, and the United States. It has been categorized as one of the worst worms which have affected various organizations such as banks, hospitals, airlines and many others. A discovery showed that the ransomware has been exploited through injecting the worm to the tax collection software used by the Ukrainian Government which is necessary to install on all of the workplace systems of the country.
Some security experts speculated that Petya may be a state-sponsored cyber attack on Ukraine as it appears to be relatively sophisticated and its ransom-collection system is primitive. The very first identification of the ransomware came from the deputy prime minister of the country who posted a photo of a computer screen showing a DOS screen of reformatting the hard drive. The victims see the fake ‘repair’ screen as the ransomware starts encrypting.
As soon as the photo was seen by the people on Twitter, it was quickly noted that it was a new form of Petya ransomware. Two views regarding the ransomware came forward; in one the Petya ransomware was called an almost identical clone of the GoldenEye ransomware family by Romanian antivirus firm Bitdefender and the other in which Kaspersky Lab regarded it as completely different from the old Petya ransomware and was termed as a new form of ransomware ‘Mischa’.
The initial attacks were reported from Europe. The British advertising giant WPP, the Anglo-American law firm DLA Piper and the Danish shipping line Maersk reported that their internal networks were hit by the ransomware.
We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation.
— Maersk (@Maersk) June 27, 2017
The Russian energy company Rosneft and the giant pharmaceutical Merck, based in Kenilworth, New Jersey also said that their systems were compromised. Other news of the attack came from Spain, France, India, Germany, Poland and the Netherlands.
The cyber attack could lead to serious consequences, however, due to the fact that the Company has switched to a reserve control system…
— Rosneft (@RosneftEN) June 27, 2017
We confirm our company's computer network was compromised today as part of global hack. Other organizations have also been affected (1 of 2)
— Merck (@Merck) June 27, 2017
The ransomware note demanded the victims to pay $300 in Bitcoin to a specified Bitcoin address. The address had received $8,000 payments at about 5:30 pm Eastern time.
The ransomware Petya is harmful as all user files, computer’s file table and Master Boot Record get encrypted. Restarting the computer becomes impossible by the victims.
Small businesses are more at danger of the ransomware Petya as Kurt Roemer, chief security strategist for Citrix said that large businesses will often have whole teams of employees dedicated to monitoring its systems for security flaws and immediately addressing any vulnerabilities.
Kurt Roemer Said: “Many small businesses might hire a consultant who does security as a percentage of what they contribute but definitely doesn’t have those resources behind them,”
A Senior IR Analyst from IBM’s and Intelligence Services
Razmik Ghanaghounian Said: “A lot of enterprises have enterprise tools that they can use to readily patch all their systems in a timely manner,”
“Those smaller companies don’t have the necessary skill-sets, resources or the financial costs associated with implementing great infrastructure or support.”
He also added that smaller organizations have more difficult time to recover from the ransomware attack because of the security discrepancies.
Ghanaghounian and Roemer said that the systems that were patched were likely protected from the recent attacks.
Kurt Roemer Explained: “Microsoft would have released the updates that would have prevented this attack in March. These are definitely preventable events,”
No one has still been able to understand what the goal of this ransomware was. Either it was for ransom money or data destruction.
Roemer said that the email provided to the victims by the attackers was disconnected by the ISP that was hosting the email address, finishing all communication. He also said that though the smaller businesses are more at risk of this ransomware yet organizations of all sizes are capable of losing a lot if this ransomware infects their systems.
He added: “There are businesses that will be down for weeks as they completely have to redo their infrastructure, every endpoint, every connection, re-verify all their data. That’s a substantial amount of disruption. And unfortunately, this attack was completely preventable,”
The only protective measure that has been recommended to all smaller to medium-sized businesses is switching to cloud-based data storage which means that the companies don’t need to maintain the infrastructure by themselves.
Also keeping systems up to date by enabling automatic update can protect the small business. Having reliable and frequent backups can also help the victims to recover when they are hit by such cyber attacks.