Ransomware attacks on the rise

By Michael Park
Cyber Data & Privacy Technology & Outsourcing Technology, Media & Telecommunications

In brief

With an upward trend in large-scale ransomware attacks and the number of data breaches reported globally, mandatory data breach notification will become law in Australia in February 2018. This will place privacy compliance and cyber security in sharp focus. Partner Michael Park, Lawyer Samantha Naylor Brown and Head Paralegal Hope Williams report on recent global attacks and what they mean for you.


In May 2017, the 'WannaCry' ransomware attack affected as many as 200,000 computers across the globe, including the computers of Britain's National Health Service. Days later, the 'Adylkuzz' ransomware attack was uncovered, revealing large-scale efforts to mine cryptocurrency from infected machines.

On 27 June 2017, news broke of a third major ransomware attack. This attack has so far hit more than 2000 computers globally. However, there is considerable uncertainty about the type of ransomware that facilitated the attack. Symantec suggests that the ransomware is a variant of 'Petya', which was first detected in 2016. Alternatively, Russian cyber-security firm Kaspersky Lab argues that the attack was not a variant of Petya but a new ransomware, which it has named 'NotPetya'. Others are referring to the attack as 'Goldeneye'.

There is also limited information about the source of the disruption. While May's WannaCry attack has been linked by some experts to North Korea, the source of Petya/NotPetya is more uncertain at this stage.

How does the attack work?

The attack exploits a vulnerability in Microsoft Office and Wordpad to take control of an individual computer. It then spreads between computers in a network via 'EternalBlue', a known weakness in the Windows operating system. This weakness was also targeted by the WannaCry attack, after the existence of EternalBlue was leaked in National Security Agency files in April 2017.

While ransomware typically encrypts individual files, Petya ransomware is believed to overwrite and encrypt the computer's master boot record, causing the computer to crash. The ransomware then steals administrative credentials, giving the hacker control over system management tools. When the computer restarts, its user must pay approximately US$300 in Bitcoin to regain access to encrypted files.

Who has been affected by the attack?

More than 2000 computers have been affected to date, with those in the Ukraine most heavily impacted. There, targets have included government departments, banks (including the Ukraine National Bank), utilities (including state telecommunications company Ukrtelecom), private corporations and Kiev airport. Radiation checks at the Chernobyl nuclear disaster site were also affected. Large corporations were targeted across Europe: including Danish shipping conglomerate Moller-Maersk, Russian oil company Rosneft and British advertising multinational WPP. Australian offices of international companies have also been affected.

How was this different from the WannaCry attack?

While Petya/NotPetya was a smaller-scale attack (so far affecting 2000 computers, rather than WannaCry's 200,000), a number of factors arguably make this attack more serious. WannaCry operated as a 'worm', relying on EternalBlue to attack systems remotely. In contrast, Petya/NotPetya can be spread by a greater range of infection options, including phishing emails with malicious attachments or software updates. Reports also indicate that Petya/NotPetya spreads through 'pass-the-hash' attacks, which exploit reuse of the same administrator password on multiple hosts. This leaves even fully patched computers at risk. This diversity of delivery options means that multiple software patches may be needed to respond. Some reports also suggest that Petya/NotPetya is exploiting a second Windows vulnerability, 'ExternalRomance'.

Further, an error in WannaCry's code contained a 'kill switch', allowing researchers to neutralise the ransomware and curtail its impact. The people behind Petya/NotPetya appear to have learned from this error: the new ransomware does not contain an equivalent vulnerability that leaves a 'kill switch' open'. This means we are likely to see the attack continue to escalate.

How does this affect your business?

The Petya/NotPetya attack is a timely reminder of the criticality of cyber security management to every Australian business. Federal Cyber Security Minister Dan Tehan has urgently advised businesses to back up their data and update their operating systems with the most recent security patches.

Cyber security is becoming increasingly important, and business systems should be designed with cyber security in mind – not as an afterthought once the system is complete. Our Cyber Security Tip Sheet is designed to help you prepare and quickly respond to cyber security incidents. Allens can also assist you to prepare a data breach response plan. Please contact our team for more information.