Close Menu
Innovation Village | Technology, Product Reviews, Business
    Facebook X (Twitter) Instagram
    Monday, September 1
    • About us
      • Authors
    • Contact us
    • Privacy policy
    • Terms of use
    • Advertise
    • Newsletter
    • Post a Job
    • Partners
    Facebook X (Twitter) LinkedIn YouTube WhatsApp
    Innovation Village | Technology, Product Reviews, Business
    • Home
    • Innovation
      • Products
      • Technology
      • Internet of Things
    • Business
      • Agritech
      • Fintech
      • Healthtech
      • Investments
        • Cryptocurrency
      • People
      • Startups
      • Women In Tech
    • Media
      • Entertainment
      • Gaming
    • Reviews
      • Gadgets
      • Apps
      • How To
    • Giveaways
    • Jobs
    Innovation Village | Technology, Product Reviews, Business
    You are at:Home»Coding»A new strain of ransomware has hit hardest among largest corporate networks

    A new strain of ransomware has hit hardest among largest corporate networks

    2
    By Tapiwa Matthew Mutisi on June 28, 2017 Coding, Cybercrime, Data, Government, Internet, News, Security, Software, Terrorism

    Remember, when the Wannacry ransomware tore through the UK and Europe in May, there was a certain logic to the heightened scale of damage. Ransomware attacks were nothing new, but this one had a secret weapon, a sophisticated software exploit known as EternalBlue, published by the Shadow Brokers in April and believed to have been developed by the NSA. It was nation-state level weaponry turned against soft, civilian targets, like robbing a small-town bank with an Abrams tank. If you were looking for answers on how it spread so far so fast, you didn’t have to look far.

    Now, just over a month later, a new strain of ransomware has inflicted similar damage with almost none of that firepower. A variant of the Petya family of ransomware, the virus has infected thousands of systems across the world, including massive multi-national corporations like Maersk, Rosneft and Merck, but it’s done so with far less raw material. Petya is still using EternalBlue, but by now many of the target organizations are protected, and that exploit is far less crucial to the ransomware’s spread. Instead, Petya exploits more fundamental vulnerabilities in the way we run networks and, more crucially, deliver patches. They’re not as eye-catching as an NSA exploit, but they’re more powerful, and could leave organizations in a much more difficult position as they try to recover from today’s attacks.

    Spreads SUPER fast – saw org 5K systems hit in under 10 minutes.

    Restarts computer with ransom message (MBR).

    — Dave Kennedy (ReL1K) (@HackingDave) June 27, 2017

    Where WannaCry focused on poorly patched systems, Petya seems to have hit hardest among large corporate networks, a pattern that’s partially explained by how the virus spread. Once a single computer on a network was infected, Petya leveraged Windows networking tools like Windows Management Instrumentation (WMI) and PsExec to infect other computers on the same network.

    Both tools are normally used for remote admin access, and they’re often used by attackers as a way to spread malware within a compromised network. WMI is a super-effective lateral movement method for hackers. It’s frequently allowed and built-in, so rarely logged or blocked by security tools and Psexec is a bit more depreciated and more monitored but still very effective.

    Even networks that had patched against the EternalBlue exploit were sometimes vulnerable to attacks launched from within the network. That’s in keeping with previous Petya attacks, which have historically targeted large companies likely to quickly pay out ransoms. This started as a group targeting businesses, and you have them picking up an exploit that’s perfect to nail businesses with.

    The more troubling aspect is how Petya got into the computers in the first place. According to research by Talos Intelligence, the ransomware may have spread through a falsified update to a Ukranian accounting system called MeDoc. MeDoc has denied the allegations, but a number of other groups have concurred with Talos’s finding, pointing to what appears to be a forged digital signature in the payload. If that signature was effective, it would have given attackers a clean way into almost any system running the software.

    That would also explain Petya’s heavy footprint in Ukraine: as many as 60 percent of total infections were in the country, including the country’s central bank and largest airport.

    It’s not the first time hackers have compromised auto-update systems to deliver malware, although the attack has usually been restricted to nation states. In 2012, the Flame malware compromised the Windows update process to deliver malware to targets in Iran, an operation that many have attributed to the US government. A 2013 attack on South Korean banks and TV stations also spread through compromised internal patching systems.

    Organizations often fail to verify updates or leave the underlying keys insufficiently protected. At the same time, compromising software updates is one of the most powerful ways to compromise a system.

    Final thoughts

    It’s like the holy grail for attackers. This piece of software is on every computer, it usually runs with admin access, it makes outgoing connections that tend to be encrypted and it bypasses any firewall you have.

    Related

    cybercrime Security WannaCry
    Share. Facebook Twitter Pinterest LinkedIn Email
    Tapiwa Matthew Mutisi
    • Facebook
    • X (Twitter)
    • LinkedIn

    Tapiwa Matthew Mutisi has been covering blockchain technology, intelligent technologies, cryptocurrency, cybersecurity, telecommunications technology, sustainability, autonomous vehicles, and other topics for Innovation Village since 2017. In the years since, he has published over 4,000 articles — a mix of breaking news, reviews, helpful how-tos, industry analysis, and more. | Open DM on Twitter @TapiwaMutisi

    Related Posts

    How to Use Your Phone Camera Like a Digital Creator

    How to Pick the Perfect Laptop for Your Needs (Work, Gaming, or School)

    Roqqu becomes latest Nigerian crypto platform to support cNGN stablecoin

    2 Comments

    1. Pingback: Russian-connected Hackers 'REvil' Demand $70M to end Biggest Ransomware Attack on Record | Innovation Village | Technology, Product Reviews, Business

    2. Pingback: Ransomware Attackers Racks in $33-million in Bitcoin Since Beginning of Year | Innovation Village | Technology, Product Reviews, Business

    Leave A Reply Cancel Reply

    You must be logged in to post a comment.

    Copyright ©, 2013-2024 Innovation-Village.com. All Rights Reserved

    Type above and press Enter to search. Press Esc to cancel.