How to protect your computer against the latest ransomware attack
Ransomware has become a fact of life for computer users, affecting computers around the world every day.
But for the second time in two months big businesses are reeling from an attack – dubbed both Petya or NotPetya – that has spread like wildfire through corporate networks.
Cadbury's owner, Mondelez, and shipping giant Maersk are two of the multinationals that have been affected.
What do we know about the latest attacks and how can people protect themselves?
* No sign yet of cyber attack in NZ
* OPINION: 'Education and awareness' not the only options to tackle cyber-crime
Who is at risk?
Business computers, rather than consumers' machines appear to be in the firing line.
Symantec cyber security manager Nick Savvides believed the latest ransomware attack could affect any Windows computer.
However, he says it could only spread from a computer to others on a network if the infected machine's operating system was not up-to-date.
Tom Moore, a cyber security specialist at Aura Information Security in Auckland, says it has been assumed the ransomware is spreading from machine to machine using a vulnerability called EternalBlue in Microsoft's file and print sharing protocol SMB, for which Microsoft issued a patch in March.
New Zealand government cyber-security agency Cert NZ has laid the blame with EternalBlue, saying computers running operating systems from Windows XP through to Windows Server 2008 could have the vulnerability.
But once on a network the ransomware could spread through a variety of mechanisms, it now warns.
If Petya entered a network through a system that hadn't been patched for EternalBlue, it would spread to any other trusted systems on the same network, even if they had been patched, it said.
How are networks being infected in the first place?
Savvides says phishing emails appear to be at least part of the answer. Machines can be infected if a computer user clicks on a link to the ransomware, before spreading through their organisation using EternalBlue.
But Moore believed that was a bit of a leap.
He notes that the ransomware could jump from one organisation to another over the internet through EternalBlue without any action from computer users, if businesses and computer owners had not blocked SMB traffic from crossing their firewalls.
"Within a corporate network it is quite common to have that port enabled. It would be quite unusual to want to have that port exposed over the internet, but poor firewall policies and poor practices can lead to exposures like that, that leave you vulnerable."
Given that possibility, Moore says the ransomware attack could have been seeded from just one deliberately infected machine.
Dimension Data New Zealand security expert Tony Jenkins said the source of the malware appeared to be a Ukranian accounting software service called MeDoc.
"Using its auto-update function it has infected its client base with the malware. This has likely lead to millions, if not tens of millions, of infected client sites globally," he said.
Why have there been no reports of infections in NZ so far?
If the ransomware is partly being spread through phishing emails, it may be that New Zealanders weren't targeted or fooled in large numbers.
Alternatively, if it is only spreading through EternalBlue, good security policies and the early warning provided from the European infections overnight may be the answer.
Savvides believes there may have been infections in New Zealand that have not been reported.
But Jenkins said if that Me Doc was the original attack vector, then it would be no surprise there were no reported cases here.
Is this attack similar to the WannaCry attack in May?
Assuming it exploits EternalBlue, then yes. In both cases, the ransomware would automatically search for vulnerable computers and spread through an organisation's network once one machine had been infected.
In both cases, the blackmailers' request payment in virtual currency Bitcoin.
But Savvides is confident this latest attack will be smaller than WannaCry because there are fewer unpatched Windows computers that will have allowed the spread.
Cert NZ said the Petra ransomware encrypted not only computers' files but also the Master Boot Record (MBR) if it could, locking victims out of their computers altogether.
— Leon Compton (@LeonCompton) June 27, 2017
What can people do if they have been infected?
One thing it appears some victims cannot do is pay the ransom to remove the infection.
Overseas reports indicate German email hosting company Posteo blocked one email address that the fraudsters intended to use to communicate with victims and to arrange for them to recover access to their computers if they paid the ransom.
Cert NZ indicated there were other email addresses but that these were also likely to be blocked. "This means that you will not be able to recover your files even if you pay the ransom," it said.
The blackmailers are believed to have received just a few thousand dollars from victims.
Cert NZ said in an advisory issued at 1.30pm that there were reports the ransomware contained a "kill switch" that would stop it running on any computer where it found a file in the c:\windows directory named "perfc".
What can computer users do to protect themselves from ransomware in general?
Keep software up-to-date to reduce the risk of being infected and back-up your data regularly to ensure that if you are infected, you can recover your files without paying a ransom.
Cert NZ offers the following additional advice:
- Don't click on web links sent by someone you don't know, or that seem out of character for someone you do know. If you're not sure about something, contact the person you think might have sent it to check first.
- Install antivirus software on your computer if you don't already have it, and update it regularly.
- Install a firewall on your computer to stop traffic from untrustworthy sources getting into your computer.
- Don't enable macros in Microsoft Office.
- If you have your own business, make sure you keep your support contracts — with your antivirus provider or your firewall provider for example — up to date.
Why are the criminals so hard to catch and are these kind of attacks going to keep happening?
Savvides says they are hard to catch because they operate across borders and often can't be found or extradited.
The attacks will keep happening because there is money in it, he says.
However, policy makers are turning their attention to making attacks harder, questioning for example whether more controls should be placed on hard-to-trace Bitcoin transactions.
Have you ever felt unsafe in a NZ taxi?Related story: Taxi group to look into sex assault complaints