June 30, 2017
CyberSecurity Malaysia has issued a new national alert following reports of a global spread of ransomware inspired by WannaCry, initially identified as a Petya variant.
Petya is a more powerful, dangerous and intrusive malware that will encrypt the - Master File Tables (MFT) - tables for NTFS partitions and override the Master Boot Record (MBR), which will stop attempts to boot into Windows while a custom bootloader will display a ransom note. Petya spread via email spam with booby-trapped Office documents. The documents, once opened, will download and run the Petya installer and execute the SMB worm to spread to other computers. This make it difficult to detect if the file is legit or not.
As detailed in a Computerworld report, (see - PETYA - Darwinism applied to cyberspace) the first wave of attacks early on 27 June 2017 focused on Ukrainian critical infrastructure sectors, which included aviation, banking, and electricity. Business systems were made unavailable and normal processes stopped. Fortunately, no operational technology, the technology that runs the energy grid, was reported to be affected.
Affected systems were widespread and included Ukrenergo, the country's electric transmission company, and Kyivenergo, the distribution company serving the Kiev region, While Ukrenergy reported no outages, Kyivenergy was forced to shut down all administrative systems, awaiting permission from the Ukraine's Security Service (SBU) before restarting.
Others victims in Ukraine and internationally included:
- The Ukrainian government, including parliament and cabinet
- Ukraine's largest bank, Oschadbank
- Kiev's Borysopil Airport, affecting departure boards and scheduling systems
- The Ukrainian state postal service
- Kiev's metro system
- Television stations.
- Rosneft, a Russian government-owned oil firm
- Steel maker Evarz
- Three Ukrainian telecom companies, Kyivstar, LifeCell and Ukrtelecom.
- Danish shipping company Maersk reported that systems in the UK and Ireland were affected.
The attack occurred, probably not by chance, only hours after the car bombing murder of Col. Maxim Shapoval of the Ukraine Chief Directorate of Intelligence and a day before Ukraine's Constitution Day.
In a recent exclusive interview [see - Malaysia at risk: CyberSecurity Malaysia chief covers espionage and state level attacks] and later as keynote speaker at this year's Computerworld Malaysia Security Summit, CyberSecurity Malaysia's chief executive officer Dato' Dr Amirudin Abdul Wahab had warned of impending state level and critical infrastructure dangers.
Yesterday, Computerworld Malaysia reached out to computer forensics investigator and expert witness Krishna Rajagopal, who also suggested a kill switch or fix for IT professionals. (See - Is there a kill switch for the latest - Petya, EternalBlue related - global ransomware attack?)
Malaysia status check
Dr Amirudin said the Petya variant behaves similarly to WannaCry ransomware, in that it will infect unpatched Windows devices by exploiting a vulnerability in SMB server. "It exploits a vulnerability found in Windows, known as EternalBlue, which Microsoft patched in March (MS17-010). The vulnerability is in the Windows Server Message Block (SMB) service."
Commenting on the latest status, he said: "At present, we are closely monitoring the situation. Our technical team is on standby and consistently keeping abreast other CERTs around the world to obtain and exchange latest information about the attack. So far, we have not received any incident report with regards to the attack.'
'We have issued an alert specifically on this incident and we would like to suggest system administrators to refer to our alert and update through our portal" said Dr Amirudin.
"In view to the numerous cyber attacks and various possible online incidents, internet users must equip themselves with cyber security knowledge," he added. "They have to take cyber attacks and online incidents as new challenges in this new digital environment and use technology positively."
Alerts, updates and advisories on Petya Ransomware can be obtained at: mycert.org.my/en/services/advisories/mycert/2017/main/detail/1272/index.html
For further enquiries, please contact CyberSecurity Malaysia (MyCERT) through the following channels:
- E-mail: firstname.lastname@example.org or email@example.com
- Phone: 1-300-88-2999
- Fax : +603 89453442
- Mobile: +6019 2665850 (24x7 call incident reporting)
- SMS : Cyber999 report email complaint to 15888