Today the world is still reeling from the global mayhem created by yet another ransomware attack – the bigger, more ruthless brother of the WannaCry attack that took place only six weeks ago. The ransomware has been referred to as Petya, NotPetya, Petrwrap, and GoldenEye. Cisco’s Talos Threat Intelligence Team has identified this new variant of malware that brought industrial giants, governments, and central banks to a grinding halt as Nyetya. Talos Security is regularly updating their Nyetya blog with new information.
Nyetya vs. WannaCry: What’s the difference?
Like WannaCry, Nyetya victims receive a message demanding payment via Bitcoin and are asked to send confirmation of payment to an email address included in the ransom note. Both versions of ransomware attack computers by entering through a “hole,” or vulnerability in Windows. However, several factors are making the Nyetya attack worse:
- In addition to this known vulnerability, Nyetya employs two more methods to attack computers laterally. None of the three methods require the user to take an action such as downloading a file or clicking a link.
- Nyetya encrypts both the data and the master boot record (like a table of contents for a hard drive), which makes the computer unresponsive and impossible to use.
- So far, no “kill switch” has been discovered for Nyetya like the one that stopped WannaCry, which means that no one knows how to stop this attack from spreading.
- There is no longer an option for people to contact the attackers for a decryption key to unlock their computer after paying the ransom. Shortly after the attack began, the email provider Posteo shut down the email address.
Does Nyetya have political connections?
According to Cisco’s Talos Threat Intelligence Team, some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. MeDoc is popular across various industries in Ukraine, including financial institutions.
The infection occurred during an automatic update of the software on June 22. The virus spread throughout Ukraine and around the world for five days before the ransomware was launched on June 27, prior to a national holiday.
“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware. It’s very clear that whoever was behind this would somehow benefit from causing a significant amount of negative business impact on Constitution Day,” Williams added.
Ransomware and Banks
Nyetya hit the National Bank of Ukraine and another national central bank hard. It also crippled many branches and lenders as financial institutions in Ukraine and Russia reported significant system outages early on during the ransomware attack. Many ATMs in the Ukraine were out of order or displayed Nyetya’s ransomware message on their screens.
“The National Bank of Ukraine has warned banks… about an external hacker attack on the websites of some Ukrainian banks… which was carried out today,” Ukraine’s central bank said in a statement on June 27, 2017. “As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations.”
How can banks protect themselves from ransomware?
Aside from making sure that all systems are updated, this event underscores the need for financial services firms to take a closer look at their infrastructure. Hackers get smarter every day and networks should too.
It’s critical to have a secure, intelligent network that constantly learns and evolves to detect issues before they happen and find ways to resolve them automatically. Today’s fully integrated, intelligent, highly secure networks can identify immediately what’s trustworthy and what isn’t–even seemingly benign and routine processes like software updates from trusted accounting software vendors.
- Read my last blog on the WannaCry ransomware attack to learn more about how ransomware can affect banks and financial services institutions.
- Bookmark the Cisco web page dedicated to the Nyetya threat as well as the Cisco Talos Security Team blog. Our security researchers will be refreshing the pages with ongoing updates on the Nyetya ransomware outbreak.
- Listen to a recorded webinar from Friday, June 30, hosted by Martin Lee, technical lead on Cisco’s Talos threat research team, to understand the latest in the new malware variant, Nyetya. Hear the latest on the attack and steps you can take to strengthen your security.