A mere month and a half after the WannaCry strain of ransomware caused major havoc in European and Asian countries, another major ransomware attack hit large institutions across Europe and the United States yesterday. Hardest hit has been Ukraine, which has seen major attacks on its government, banks, and power infrastructure. Other European firms such as Germany’s Deutsche Bahn railways and Danish shipping firm A.P. MOLLER-MAERSK have also been hit.
This ransomware attack appears to have crossed the pond somewhat more significantly than its WannaCry predecessor, which was stopped by the fortuitous discovery of the “kill switch” to the ransomware by a British security researcher. Large American companies affected include the pharmaceutical company Merck and the multinational law firm DLA Piper. The attack on DLA Piper reportedly began at the firm’s Madrid offices, and may raise concerns among large law firms about the drawbacks of firm-wide networks for storing files, especially at firms with tens of offices worldwide.
The ransomware has been identified as the “GoldenEye” variant of the “Petya” family of malware. According to Bitdefender Labs, it uses two layers of encryption, one that targets individual files and another that encrypts the entire Windows file storage and retrieval system structure, the New Technology File System. After encrypting the files and the system, the ransomware crashes the computer and triggers a reboot that makes the computer unusable until the ransom is paid.
The GoldenEye/Petya ransomware appears to be using the same stolen NSA exploit tool as WannaCry—known as “Eternal Blue”—to spread from computer to computer. GoldenEye/Petya, however, looks like a much more sophisticated job than WannaCry. There may be no “kill switch” in the offing, according to Wired, and according to the Finnish cybersecurity firm F-Secure, the ransomware is spreading via two other vectors beyond Eternal Blue. Moreover, commercial antivirus software does not seem to be much of a match for this new strain of ransomware—tests showed that only a small percentage of 61 popular antivirus solutions were capable of identifying GoldenEye/Petya. Little wonder, then, that Matthieu Suiche, a security researcher involved in containing WannaCry, told the New York Times that GoldenEye/Petya was “an improved and more lethal version of WannaCry.”
The success of a WannaCry-esque attack a month and a half after WannaCry burst onto the front pages accentuates the need for large institutions to be nimble in response to the fast-changing world of cyber threats. Microsoft had released a patch for Eternal Blue in March, and later took the unusual step of releasing similar patches for systems that it no longer supports, such as Windows XP. Though Tech Republic’s view that “[i]f the vulnerabilities exploited by WannaCry were patched . . . GoldenEye/Petya would have been a footnote instead of a headline,” may overstate the case (given that the malware appears to spread by other vectors), it is hard to doubt that many institutions today are regretting not acting more swiftly in response to WannaCry. In addition to beefing up their technical cybersecurity capabilities, large corporations and other bureaucracy-heavy institutions may be well-advised to devote attention to how cybersecurity vulnerabilities can be addressed on an institution-wide basis quickly after they are identified. Decreasing the number of layers of approval required for the Chief Information Security Officer to implement security fixes to shared networks may be one way to approach this problem.
On a broader level, hopefully the second major ransomware attack in two months’ time will further focus the attention of governments on the problem. Government entities such as the US-Computer Emergency Response Team have released guidance on ways to avoid ransomware, and have updated this guidance in the wake of the WannaCry attack. However, more active measures to take the fight to the cybercriminals will likely be necessary to make any dent in what is fast becoming an epidemic. One possible target for law enforcement is the market for “ransomware as a service” that has sprung up on the dark web, which allows sophisticated criminals, and perhaps even cyberterrorists and rogue states, to leverage the technical expertise of hackers to make a profit and sow chaos. One thing is certain—if governments continue to stay two or three steps behind the purveyors of ransomware, attacks like WannaCry and GoldenEye/Petya will take a worse and worse toll on businesses and threaten vital infrastructure.
Read More about Foley Hoag’s Cybersecurity Incident Response Team.