A different variant of malware has been spreading in the last few months. What was first thought by some security experts to be a poorly designed ransomware attack campaign is now thought to be wiper malware.
Wiper malware has been in existence since at least 2012 but has not been heavily used or covered in the news. The June, 2017 Petya attack was initially called ransomware since victims were told to pay to have their files unlocked. Petya has also been referred to as ExPetr, PetrWrap, NotPetya, and DiskCoder. Attacks spread to over 60 countries after first appearing in Ukraine.
After additional investigation, security experts realized the malware was wiper malware. The intent of the cyber criminals was not to make money but rather to cause disruption and damage. Wiper malware wipes the data it attacks and destroys it, so even if a victim pays the ransom, the files cannot be recovered.
It seems once the malware is in a network, Petya first encrypts user files. It then attempts to encrypt a critical part of the operating system. The malware then directs the computer to reboot, frequently at least ten minutes later. After the reboot, Petya encrypts the Master File Table in Windows, which has extensive information regarding files and directories on the computer system.
For a technical summary of Petya, check out this alert from United States Computer Emergency Readiness Team (US-CERT). According to the alert, Petya has attacked companies in finance, transportation, energy, commercial facilities, and healthcare industries. It seems to be targeting businesses, but it could affect individual computers as well.
Businesses such as law firms, consulting companies, and any that are highly data driven should be particularly aware of the risk posed by wiper malware.
What you can do
Share the US-CERT alert with your cyber specialist and ensure they have installed the appropriate patches.
Be sure you are diligent about backing up your data in several places.
Review your business continuity plan to confirm you can deal with a wiper attack and resume business quickly. If you don’t have a business continuity plan, make it a priority to develop one soon.
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!