Client Update: Ransomware attacks on the rise
29 June 2017
In brief: With an upward trend in large-scale ransomware attacks and the number of data breaches reported globally, mandatory data breach notification will become law in Australia in February 2018. This will place privacy compliance and cyber security in sharp focus. Partner Michael Park (view CV), Lawyer Samantha Naylor Brown and Head Paralegal Hope Williams report on recent global attacks and what they mean for you.
- How does the attack work?
- Who has been affected by the attack?
- How was this different from the WannaCry attack?
- How does this affect your business?
In May 2017, the 'WannaCry' ransomware attack affected as many as 200,000 computers across the globe, including the computers of Britain's National Health Service. Days later, the 'Adylkuzz' ransomware attack was uncovered, revealing large-scale efforts to mine cryptocurrency from infected machines.
On 27 June 2017, news broke of a third major ransomware attack. This attack has so far hit more than 2000 computers globally. However, there is considerable uncertainty about the type of ransomware that facilitated the attack. Symantec suggests that the ransomware is a variant of 'Petya', which was first detected in 2016. Alternatively, Russian cyber-security firm Kaspersky Lab argues that the attack was not a variant of Petya but a new ransomware, which it has named 'NotPetya'. Others are referring to the attack as 'Goldeneye'.
There is also limited information about the source of the disruption. While May's WannaCry attack has been linked by some experts to North Korea, the source of Petya/NotPetya is more uncertain at this stage.
The attack exploits a vulnerability in Microsoft Office and Wordpad to take control of an individual computer. It then spreads between computers in a network via 'EternalBlue', a known weakness in the Windows operating system. This weakness was also targeted by the WannaCry attack, after the existence of EternalBlue was leaked in National Security Agency files in April 2017.
While ransomware typically encrypts individual files, Petya ransomware is believed to overwrite and encrypt the computer's master boot record, causing the computer to crash. The ransomware then steals administrative credentials, giving the hacker control over system management tools. When the computer restarts, its user must pay approximately US$300 in Bitcoin to regain access to encrypted files.
More than 2000 computers have been affected to date, with those in the Ukraine most heavily impacted. There, targets have included government departments, banks (including the Ukraine National Bank), utilities (including state telecommunications company Ukrtelecom), private corporations and Kiev airport. Radiation checks at the Chernobyl nuclear disaster site were also affected. Large corporations were targeted across Europe: including Danish shipping conglomerate Moller-Maersk, Russian oil company Rosneft and British advertising multinational WPP. Australian offices of international companies have also been affected.
While Petya/NotPetya was a smaller-scale attack (so far affecting 2000 computers, rather than WannaCry's 200,000), a number of factors arguably make this attack more serious. WannaCry operated as a 'worm', relying on EternalBlue to attack systems remotely. In contrast, Petya/NotPetya can be spread by a greater range of infection options, including phishing emails with malicious attachments or software updates. Reports also indicate that Petya/NotPetya spreads through 'pass-the-hash' attacks, which exploit reuse of the same administrator password on multiple hosts. This leaves even fully patched computers at risk. This diversity of delivery options means that multiple software patches may be needed to respond. Some reports also suggest that Petya/NotPetya is exploiting a second Windows vulnerability, 'ExternalRomance'.
Further, an error in WannaCry's code contained a 'kill switch', allowing researchers to neutralise the ransomware and curtail its impact. The people behind Petya/NotPetya appear to have learned from this error: the new ransomware does not contain an equivalent vulnerability that leaves a 'kill switch' open'. This means we are likely to see the attack continue to escalate.
The Petya/NotPetya attack is a timely reminder of the criticality of cyber security management to every Australian business. Federal Cyber Security Minister Dan Tehan has urgently advised businesses to back up their data and update their operating systems with the most recent security patches.
Cyber security is becoming increasingly important, and business systems should be designed with cyber security in mind – not as an afterthought once the system is complete. Our Cyber Security Tip Sheet is designed to help you prepare and quickly respond to cyber security incidents. Allens can also assist you to prepare a data breach response plan. Please contact our team for more information.
- Michael ParkPartner,
Ph: +61 3 9613 8331
- Gavin SmithPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 2 9230 4891
- Michael MorrisPartner,
Ph: +61 7 3334 3279
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.