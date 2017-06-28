The usual indicators of a ransomware – such as having several bitcoin wallets and encrypted communications path – are missing from the latest cyberattack circulating online, notes security vendor FireEye.

SINGAPORE: Is the launch of Petya, a fast-moving ransomware deemed more dangerous and intrusive, targeted at Ukraine?

The secretary of the Ukranian security council on Tuesday (Jun 27) indicated as much when he said there were signs of Russian involvement in a wave of ransomware attacks that hit the country's banks and the state power distributor on Tuesday (Jun 27).

And at least one expert, Mr Bryce Boland, Asia Pacific chief technology officer at FireEye, told Channel NewsAsia it was possible, although others voiced doubts that this was targeted at a specific country.

Mr Boland said the usual indicators of a conventional ransomware attack, which involves cybercriminals getting access to one’s computer and encrypting it before asking victims for ransom money to unlock it, were not present. Usually, in a ransomware attack, there would be several bitcoin wallets for victims to pay to, as well as Tor-encrypted communications path for the cybercriminals to reach out to the victims in a secure fashion, he said.

But for this particular attack there was just a single bitcoin wallet - which has since been taken down - the FireEye CTO pointed out.

Advertisement

Advertisement

Security vendor Kaspersky Lab said German email provider Posteo had shut down the email address that was supposed to be used by victims to contact blackmailers, confirm bitcoin transactions and receive decryption keys.

Mr Boland pointed out that Russia and Ukraine have been in conflict since 2014 after the annexation of Crimea, which gives possible motive behind the online attack.

The FireEye CTO noted that the source code for the malware is “relatively sophisticated” for a conventional ransomware campaign, and it included “additional tactics for lateral movement” of the malware once it manages to get hold of administrative credentials of a single user.

“A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers," Kaspersky Lab said. "What this means is that victims who would look to pay the criminals can no longer get their files back."

Cybersecurity vendor CyberArk Labs said its initial analysis showed that the Petya ransomware is different from WannaCry, which crippled systems at a similar scale in May. Petya appears to be sparing computers using US English-only keyboards, it said. This seemingly self-imposed restriction “has been seen in nation-state attacks”, said the company’s senior director of cyber research Kobi Ben Naim.

Still, Mr Jeffrey Kok, technical director for Asia Pacific Japan at CyberArk, said this does not mean this is evidence of a cyberattack on Ukraine. He said leaving out users with US English-only keyboards, indicates not wanting to upset the US or to misdirect forensic investigators from identifying the perpetrators.

“We don’t know for sure,” Mr Kok said. “Due to the large number of countries affected, we don’t think NotPetya (a possible variant of the Petya ransomware) is targeted at any specific country.”

Another security expert, Mr Naveen Bhat from Ixia, echoed this, saying: "Petya attack is not nation state-related as malware does not know national or state boundaries."

His colleague Steve McGregory had earlier stated that following the Shadow Brokers' leak of nation state-level cyber weapons from the US' National Security Agency, the use of Petya and WannaCry ransomware campaigns "are the equivalent of sophomore college students getting their Masters' degrees in a matter of weeks".

Shipping giant A.P. Moller-Maersk was one of the more notable victims of the ransomware on Tuesday, and the following day, operations at one of three terminals at India’s largest container port JNPT – operated by the Danish company – was also disrupted, prompting suspicions that the shipping industry was being targeted.

Trend Micro senior threat researcher Ryan Flores told Channel NewsAsia that the attack has hit European countries the hardest so far, and has affected multiple industries – not just shipping. "It could be another indiscriminate ransomware attack, targeting all vulnerable systems in all vectors,” Mr Flores said.

Regardless of whether the attack was directed at Ukraine, or not, the ransomware does not discriminate. Once the malware enters a network and extracts administrator credentials, it spreads quickly and encrypts the whole hard disk – not just the files and applications, as seen with the WannaCry version.

The Cyber Security Agency of Singapore and Government Technology Agency (GovTech) said on Wednesday that businesses and the public are advised to fully patch their Windows systems, update their antivirus software, back up their files offline and to avoid clicking on suspicious links or attachments.

The Singapore Computer Emergency Response Team (SingCERT) also highlighted the Windows systems vulnerable to the malware in an advisory on the same day.