Global cyber-attack Petya
GoldenEye, Petya, NotPetya, and ExPetr are all names that have been given to the latest major cyber worm that started impacting systems on 27 June, 2017. Many commentators have noted some similarities with the WannaCry ransomware worm.
Some key similarities are:
- Both attacks leverage the same vulnerability in unpatched MS Windows systems as WannaCry
- Both attacks make files unavailable
- Both attacks ask for USD$300 in bitcoin as ransom
These similarities make it easy to assume it is a similar attack that is financially motivated (if we assume that WannaCry was financially motivated.) However, now that security researchers have been able to look into this new attack in detail, there are some key differences that could indicate those responsible may have a very different motive.
The key differences are:
- The worm uses two distinct exploits that target the vulnerability. The second is also one of the exploits stolen from the NSA in August 2016
- An infected machine will automatically reboot and provide a plain text extortion note, not the red windows that is infamous from WannaCry
- Rather than just block user access to files it blocks access to the system itself
- It also contains malware that looks for usernames and passwords
- It appears there is no way to pay the ransom and/or any guarantee that there is a key to unlock the affected system
Taking these details into consideration, it appears that those responsible aren’t very good at extortion or there are other motives. This attack seems to be pure evil in that it aims to destroy, regardless of ransom. There are theories that it may have been an intentional attack on the Ukraine as that is the worst affected country so far, and some commentators are arguing it may be a nation state that launched the attack.
While speculation is rife, the advice from WannaCry applies to defending organisations from this attack: immediately patch Windows systems, turn on auto-updates and ensure other security measures like anti-virus are functioning and updated.
Attacks such as these are another reminder of the importance of proactively managing your cyber risks and having a cyber incident response plan and cyber insurance in place.
Cyber insurance can include the provision for a cyber incident response team who can assist with the first response to a cyber incident and coordinate the actions required. Please contact us if we can assist you in preparing for, responding, mitigating and transferring risks of cyber incidents.
For all the latest updates about the recent cyber-attacks, please visit our cyber risk information page.