New Ransomware Attack Targets Europe, U.S. Bracing

Governments, banks, transportation systems and critical infrastructure entities reeled Tuesday from yet another wide-sweeping disruptive cyber attack—one that echoed the WannaCry breach in May but is potentially far more crippling.

Cyber experts began bracing for the effects of a massive attack that hit Ukraine first, and then rippled throughout other European nations before going global.

The latest cyber disruption appears to be another ransomware campaign, coming on the heels of the crippling attack last month that paralyzed hospitals, university and business globally. The WannaCry ransomware hack, which U.S. intelligence and cyber officials have since attributed to North Korea, used tools discovered in leaked documents from the National Security Agency (NSA) to compromise a file-sharing protocol in older, unpatched Microsoft programs.

Tuesday’s attack also exploited information gleaned from the NSA leak, but has the potential to do far more damage because there doesn’t appear to be a kill switch, says Ken Spinner, vice president of field engineering at Varonis, a security software platform to let organizations track, visualize, analyze and protect their unstructured data.

The blitz appears to be a “blended attack,” using the same NSA exploits as WannaCry but adding a nastier strain of ransomware called Petya, which prevents victims from booting computers instead of showing a ransom note, Spinner says. “This attack doesn’t just encrypt data for a ransom. It hijacks computers and prevents them from working altogether. The implications of this type of cyber attack spread far and wide and can affect everything from government to banks to transportation.”

Of note, the Petya strain has been around since March 2016, making it a long-running criminal campaign, offers John Bambenek, threat intelligence manager at Fidelis Cybersecurity. Early reporting Tuesday indicated the ransomware is spread by the EternalBlue code that was part of the NSA leak along with Windows Management Instrumentation Command-line, or WMIC. “If true, the fact that EternalBlue is still being used to achieve infections of a global nature has shown us we still haven’t learned the lessons behind WannaCry,” Bambenek says. “All the security tools in the world won’t help you if you can’t apply simple security updates to your networked devices.”

The attack certainly had cyber defenders around the world on high alert, says Rick McElroy, a security strategist at Carbon Black, which develops endpoint cybersecurity software to detect malicious behavior. “Hopefully the work we all did during and after WannaCry should pay off, thwarting similar attacks like this one,” McElroy says. “If you are patching and have the right visibility into the attack you should be good to go defending against it.”

Some researchers have indicated that Tuesday’s attack might spread through the same vulnerability as WannaCry. Not all. It's under investigation more should be known later today, say experts at Skybox Security.

The ransomware has reportedly been active in the wild for some time, and antivirus services are not always the silver bullet. According to VirusTotal, 16 of 61 endpoint antivirus software programs cannot detect this strain of ransomware, which underscores the need for non-signature-based defenses and a layered approach to data security.

Organizations must apply the patch that Microsoft released in conjunction with WannaCry. Two months before the May attack, Microsoft issued a patch that protected newer Windows systems, but had not issued patches for older systems. A majority of the WannaCry infections occurred on unsupported Windows XP systems still widely used in health care, academia, businesses and on home computers. Microsoft has since issued patches for older systems too.

“I do think it's more interesting that this occurred once again in Ukraine,” McElroy says. Ukraine finds itself in the middle of the cyber war. Cyber intrusions have tampered with that nation’s elections, infrastructure and power grid, to name a few cases. "If you start to put this together, the country of Ukraine finds itself under increasingly more advanced attacks as the years go on,” he says. "They have been getting pummeled for a few years now. If there was ever a canary in the coal mine for cyber attacks, it’s Ukraine. The entire West should be paying attention and working to mitigate attacks that have been used against them. This is becoming the new normal cyber wise. We have work to do."

It appears the world is greeting the dawn of the industrial control system attack, says Bryan Singer, director of security services for IOActive. “For the past 10 years, any attacks to industrial control systems have been one-off, specifically targeted attacks by insiders; or otherwise had very limited visibility,” he says, citing Vitek Boden from 2001 and Stuxnet from 2010. “But it seems like over the last few weeks we have hit a new era, it is now impossible to say ‘that can't happen to us’ anymore. This will act as a real wake-up call.”

Hackers’ swath of havoc is not over, says Owen Connolly, vice president of services (EMEA), also at IOActive. “Beyond this, we can see smaller, potentially more exposed targets are being attacked, meaning the ripple effect to other businesses is widening by the minute,” Connolly says. “Like a global game of six degrees of separation, it is a fascinating demonstration of how everything is interconnected and the frightening speed at which trouble can spread, with early reports indicating it has spread through oil and gas and shipping companies and even international law firms.”

If there is good news gleaned from the outbreak it is that the attack does not appear to be as great as WannaCry, says Raj Samani, chief scientist at McAfee. "But the number of impacted organizations is significant," Samani says. "It appears that it's using the same propagation method as WannaCry, at least based on the data we have right now. Anybody running operating systems that have not been patched for the vulnerability that WannaCry exploited could be vulnerable to this attack."