PETYA – Darwinism applied to cyberspace

I WannaCry all over again

On the morning of June 27^th, reports began surfacing of widespread attacks against Ukrainian critical infrastructure sectors that included aviation, banking, and electricity.  An unknown malware had begun affecting IT systems in these sectors. Business systems were made unavailable and normal processes stopped.  Fortunately, no operational technology, the technology that runs the energy grid, was reported to be affected.

Affected systems were widespread.  They included Ukrenergo, the country’s electric transmission company, and Kyivenergo, the distribution company serving the Kiev region, While Ukrenergy reported no outages, Kyivenergy was forced to shut down all administratve systems, awaiting permission from the Ukraine’s Security Service (SBU) before restarting.

Others victims in Ukraine and internationally included:

• The Ukrainian government, including parliament and cabinet
• Ukraine’s largest bank, Oschadbank
• Kiev’s Borysopil Airport, affecting departure boards and scheduling systems
• The Ukrainian state postal service
• Kiev’s metro system
• Television stations.
• Rosneft, a Russian government-owned oil firm
• Steel maker Evarz
• Three Ukrainian telecom companies, Kyivstar, LifeCell and Ukrtelecom.
• Danish shipping company Maersk reported that systems in the UK and Ireland were affected.

The attack occurred, probably not by chance, only hours after the car bombing murder of Col. Maxim Shapoval of the Ukraine Chief Directorate of Intelligence and a day before Ukraine’s Constitution Day.

The name game

The offending malware was soon identified at PETYA, PETRYA, or PETwrap, depending upon the source. PETYA reportedly utilized the the NSA’s leaked EternalBlue, the same Windows SMBv1 vulnerability as WannaCry,   PETYA does not initially encrypt individual files, but replaces the master boot record (MBR), leaving the entire system unusable.  Should the MBR not be available, it then goes on to encrypt the individual files.

What part didn’t you get about ‘patch now?’

Perhaps the most valuable lesson we can learn from this attack is that Charles Darwin was right.  It’s survival of the fittest; right along with that goes the smartest. Unless some completely new vector is discovered in action with this new threat, victims of PETYA have no excuse.  The SMB vulnerability in question had been patched by Microsoft prior to WannaCry’s May outbreak.  During the WannaCry outbreak, Microsoft provided additional patches for legacy operating systems, those no longer supported by normal updates, like Windows XP and Server 2003.  Even with these extraordinary measures to provide users with the protection they needed, some failed to update and/or patch.

Those who failed to take action and install patches handed to them on a silver platter are now victims of PETYA, and themselves sources of the new infection to others.  Akin to a neighbor with a garage full of dynamite, this is the kind of negligence that endangers the entire cyber neighborhood.

ISACs to the rescue

Information Sharing and Analysis Centers (ISACs) in the U.S. were able to get ahead of the infection thanks to early warning and quick action.  The Downstream Natural Gas and Electric ISACS combined forces to collect, analyze, and alert their sector members, providing early indicators and even links to algorithms successfully used to earlier decrypt the PETYA ransomware.  Having just recently experienced the WannaCry worm, their members were patched and defended.  There were no reports of infection in electric or downstream natural gas sectors.