This is a simple breakdown of the new ransomware attacks spreading globally. The attack is quite different to anything that has been spread in the past. The intention may not even be money.
Recently, a new and viral malware has been spreading throughout Europe. News organizations such as the Washington Post and The New York Times have been talking about it quite a lot. However, no one seems to have much information about it.
The stories began on the morning of June 27, 2017. While its method of infection has not been discovered, it is known that this malware in behaving like a worm. That means when one node is infected, it tries to spread to other nodes. When the virus infects a computer, it shows a “Chkdisk” screen that is meant to entice the user not to power off. This attack has been touted to be even worse than the Wannacry attack.
Kaspersky Discovered in First.
Kaspersky actually discovered this Ransomware a while back. Since then, they have noted that it has been spreading for weeks. The reason why it has become such a big issue in recent days is that it has started to affect huge organizations, especially government organizations.
What is Known About it.
Some researchers have christened it PetyaWrap. It uses a potent mix of techniques to enter a network and from there spread to all computers in that network. As with other attacks from ransomware such as WCry, it made use of EternalBlue. This advanced exploit was developed by the NSA to snoop on unwitting users of the Windows OS.
The new attack used a new exploit called the EternalRomance, which was developed by the NSA. Microsoft developed a patch for the vulnerabilities. However, many computers remain quite vulnerable. People with basic technical skills now have a powerful method to deliver any kind of digital warhead that they wish to install in a computer. It is especially so for those who had not installed the updates from Microsoft.
However, EternalRomance was not the only exploit that it used. The recent attack showed that it was a major improvement over past attacks. The new attack also used Mimikatz, which is a tool used to extract passwords from computers on a network. With that ability, they could use PSExec, which is a legitimate component of Windows.
That means even computers that had updated their OS and were immune to EternalRomance and EternalBlue could be hacked. Some of the Ransomware is also using a vulnerability of Ukrainian software called MeDoc. The result is that MeDoc is being used to send updates to the end users.
MeDoc Could be Patient Zero.
Kaspersky just fell short of saying MeDoc was the reason this ransomware attack spread so fast. Others are also fingering MeDoc as being the source of the weakness. MeDoc only indicated that their server made a virus attack in an update on their site. Most analysts have interpreted the post as MeDoc admitting guilt.
How it Works.
When the malware creeps into a computer, it waits for about 10 minutes before it reboots the computer. After that, the hard disk is encrypted, and a $300 ransom is demanded when the computer restarts. If someone switches off the computer before it reboots, he or she could save their computer if they allow a professional to restart their computer.
Ukraine Was Hit Hard.
Many news organizations globally report that Ukraine was hit hard. The malware hit metro networks, power companies, government sites, banks, airports, media organizations, and state corporations. Even the radiation monitors at Chernobyl were not spared.
One of the reasons WCry was killed off was that its developers hard-coded a kill switch into it. However, researchers are concerned that there may be no simple solution to stopping the spread this time.
Reports of Windows 10 Attacks.
Some reports indicate that it was able to attack an updated Windows 10 computer. Besides that, it is said that the computer had a working anti-virus installed and had the SMBv1 protocol switched off.
It is also Stealing Credential.
This new strain is targeting the master boot record of computers. It is an important file, which allows the computer to locate the OS and other important components. However, it also delivers a payload that steals usernames and passwords and sends it to a server under the control of the attackers. That means the attackers could be in possession of high-value data.
The attack was initially limited to Ukraine and Russia. However, it soon spread to Poland and then to Italy, Spain, France, US, and India. Major law firms and other companies in the UK said that their systems were under attack.
Victims of the attack were told that they had to email payment details. Within a few hours, the email went down. That made it impossible for those who had paid the money to recover data. The result was that it led to speculation the aim of the attack was destruction, not money.
What Can You Do to Stay Safe.
There are a few Steps, which computer users can take to stay safe. They are actually quite effective.
· Question All Attachments.
In a world where digital spoofing is so easy, do not trust anything. Do not open an attachment unless you were expecting it to arrive. If you feel you must open it, use your phone to call the person so that you can verify they sent an email to you.
· Do not click Links in an Email.
Before opening a link, position the cursor over it. If the URL is different from the text over it, avoid opening it. Besides that, use your phone to confirm any link sent to you.
· Be Attentive.
If an email uses language that suggests urgency, you should be quite cautious about clicking on it. If an email offers something to you for clicking the email, avoid it. Additionally, any email that seeks to generate some emotional response from you needs to be watched carefully.
· Stay Focused on Your Work.
Avoid receiving funny cat videos from your friends all the time. It is possible to receive a video that has bugs encoded into it. Unless your job involves studying cats, avoid unnecessary downloads at all times.
Most importantly, never pay any ransom. There is no guarantee you will receive the decryption key.
Alvarez Technology Group, Inc.
209 Pajaro Street
Salinas, CA 93901
Toll Free: 1-866-78-iTeamLocal: (831) 753-7677
Fax: (831) 753-7671