Johannesburg, 29 Jun 2017
The newest follow-on attack from WannaCry has got cyber-security professionals in South Africa paying attention, particularly because many businesses still rely on outdated software and do not regularly perform updates on their systems.
The strain of Petya ransomware strain has been identified as GoldenEye and is expected to be a large-scale attack across the globe.
Three months ago, a mass Ransomware attack WannaCry began infecting computers across the globe. The cyber-attack came on the back of a year dubbed 'The Year of Ransomware' and became one of many similar headlines concerning cyber security.
The WannaCry strain of malware utilised a secondary programme, EternalBlue, designed as a 'worm' to increase the speed of the attack allowing the infection to spread to over 300 000 end-points in over 150 countries. WannaCry, which saw several smaller follow-on attempts at infection over the following weeks, lasted for three days.
The cyber criminals that designed the WannaCry ransomware strain were able to be as effective as they were by targeting two known vulnerabilities in their attacks.
Today, those behind the GoldenEye attacks have added another prong to their attack; GoldenEye has two layers of encryption. While ransomware has always targeted files and encrypted them to stop a user being able to use their computers, GoldenEye encrypts both the files and file structures known as NTFS structures.
GoldenEye is expected to have hit around 2 000, mostly in the Ukraine, Russia and Poland. The strain of ransomware, similarly to WannaCry, demands a bitcoin payment equivalent to $300 for files to be returned safely. Security companies have continued to advise users against paying ransoms as this only incentivises hackers further to attempt these large-scale attacks.
Recently a South Korean hosting firm paid a ransom worth $1m for the return of their systems when the data on 153 Linux servers and 3 400 customers Web sites was encrypted.
Among those hit with GoldenEye across the globe so far are US-based pharmaceutical company Merck, British advertising firm WPP and British legal firm DLA Piper. The firm said in a statement "The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible."
GoldenEye has also been designed to attack systems quickly, the programme forces systems to reboot as soon as they have been infected allowing the ransom message to appear more quickly. A Posteo e-mail account has since been shut down in connection with ransoms being paid and the company is working with German police in an attempt to find the cyber-criminals behind the attack.
Why Cyber security should be a top priority
GoldenEye and WannaCry are just two of the strains of ransomware that have effected organisations across the globe. Cyber criminals and hackers have repeatedly targeted hospitals and schools among other public sector organisations. Having been so successful at extorting ransoms from organisations, hackers now see ransomware as a quick payday. Ransomware is most commonly spread via network shares or e-mail so can be used to target large quantities of people without too much effort.
Cyber security should be a top priority for all organisations as it is a well-funded and quickly developing threat. The speed at which the threat is growing makes it even more difficult to protect against if improper procedures are in place. Ransomware attacks have the ability to cause mass outages and disrupt networks which can be costly for businesses that are not able to get back to operational capacity. In 2016, it was reported that downtime was responsible for a loss of $700bn globally.
A big part of having proper cyber-security procedures in place is educating users on the threats that they face and helping them to understand how they can mitigate risk of cyber attack. Human error is a major cause of downtime and this is something that hackers depend on. Malicious links or attachments being opened in e-mails is still one of the leading ways that attacks like GoldenEye have been so devastating in their effectiveness. Educating users to be more diligent with their personal security can go a long way to protecting systems for the whole organisation.
Recovering from Ransomware
If a ransomware attack cannot be prevented, recovering from it remains the only option. But without an isolated, up-to-date backup of data, your IT systems will have no previous working state to revert to and your organisation will have no choice but to pay up in the hope of access being restored or accept that the data is lost forever.
An onsite backup may be able to help but if the infection spreads to this local copy then that too is going to be inaccessible.
Implementing a new backup solution is no use if data is already infected - a backup may be able to take place but the restore won't be able to get around the encryption that's already there. Only by having up-to-date, isolated data backup will your recovery will be swift and all traces of the ransomware infection be erased.
All countries have legislation that governs cybercrime and businesses will have to become a lot more proactive if they are to avoid difficulty and not have their systems compromised.
As GoldenEye has shown us, threats are becoming more sophisticated and more serious. This is, indeed, the year for ransomware!
Share