The Australian Cyber Security Centre (ACSC) is working to confirm reports of two Australian companies affected by ‘Petya’, a ransomware attack sweeping the globe.
The government agency has referred to Petya as a ‘global ransomware campaign’ and noted that it appears to leverage the same vulnerability as WannaCry, another malicious software that renders data or systems unusable until the victim makes a payment.
Cyber Security Minister, Dan Tehan has advised business that have been affected by Petya to isolate the affected computer fromtheir network to prevent the software spreading and use backup data to restore information.
“I urge all businesses to visit the Australian Cyber Security Centre (ACSC) website or call 1300 292371 (1300 CYBER1) for more information and to contact the ACSC if you have been infected,” he said.
“All businesses should immediately update their Windows operating system with the latest security patches and there are instructions on the ACSC website to do this.
“This ransomware attack is a wake-up call to all Australian businesses to regularly backup their data and install the latest security patches.
Advice from the ACSC
The ACSC has advised all organisation, large and small, to “examine their cyber security posture and have arrangements in place to protect the security of their information systems”. It also issued the following advice:
- “Patch/update systems immediately, including Microsoft operating systems. Using unpatched and unsupported software increases the risk of cyber security threats such as ransomware.
- Back-up your data. If you do not have back-ups in place you can arrange to use an off-site backup service. This is good practice for all users.
- Ensure your antivirus software is up-to-date.
- Individuals and organisations should not pay the ransom. Reports indicate that the contact email address provided in the ransom message has been disabled, which means the files are highly unlikely to be recovered by paying the ransom.”
Those affected by the Petya ransomware incident have been told to contact their service provider immediately. Meanwhile, Small businesses can contact ACORN (Australian Cybercrime Online Reporting Network). Large organisations are advised to follow their normal procedures and report to the ACSC via the number 1300 CYBER1.
The ACSC said organisations can minimise the risk of being infected by exploits taking advantage of unpatched vulnerabilities by following the Australian Signal Directorate’s (ASD) Strategies to Mitigate Cyber Security Incidents. These strategies include, but are not limited to:
- patching operating systems and applications to the latest versions
- backing up important data on a daily basis to an offsite location
- implementing application whitelisting to prevent execution of untrusted code
- restricting administrator privileges.
Further ASD advice, such as the Essential Eight Explained, Detecting Socially-Engineered Emails, Minimising Admin Privileges Explained and Application Whitelisting Explained, is available from the ASD Publications page.
Updates are available on the Stay Smart Online website, Facebook page, and Twitter account.
Cybersecurity vendors respond
Ross Brewer, VP and MD, International Markets, LogRhythm: “With WannaCry still so fresh in our minds, this follow-up attack proves just how real this is all becoming – and the worst is probably yet to come. These public outings of large, high-profile attacks are becoming more frequent, faster-acting and more damaging. Every organisation, regardless of size or industry, is vulnerable. As security vendors, we are often criticised for fear mongering and exaggerating the possible consequences of a cyberattack – but I think we can agree that recent events are starting to show that the warnings were warranted. These attacks are targeting our top businesses, banks, healthcare institutions and other critical national infrastructure, are revealing the chaos that ensues when organisations lose control of their data – when are we going to do something about it?
“The recent attacks associated with WannaCry and Petya have re-enforced the lack of accountability and focus on basic IT and security fundamentals. Core IT operational competencies, such as patch management, backups, disaster recovery, and incident response are not well implemented or maintained. These are absolutely essential in protecting your company from damaging cyber threats and without them you are left in a perpetually vulnerable state, a sitting duck for these types of attacks, merely hoping that you aren’t compromised. The only actions you take are responsive, only after some other unlucky company was compromised.
“Unfortunately, events like the Petya incident today and what occurred previously with WannaCry have been and will continue to be the normal state of things. A determined hacker only has to be right once. The odds are heavily in their favour with compromise likely, if not inevitable. As such, we need to stop focusing solely on defence and protection – and put more effort into monitoring, detection and response as true compensating controls to the mess that is IT today. As we saw with WannaCry and what I fully expect to see by the end of today,it’s not always about stopping the initial compromise, the inevitable, but how quickly you can respond and contain a threat before it becomes a full blown incident or global outbreak.”
Jim Cook, ANZ Regional Director, Malwarebytes: “Petya/ NotPetya is another example of a know, patchable vulnerability causing tremendous issues for people and businesses around the world. If possible, apply MS17-010 Microsoft patch to all PCs immediately.
“If you are running unpatched systems with Admin privileges this malware has the ability to spread inside your network using the in-built PSExec utility, which our research team say makes its ability to damage businesses significant.
“If [hacker group] The Shadow Brokers keeps their promise to continue releasing [United States National Security Administration] exploits, it seems that this sort of mass infection will become common – so now is the time to ensure you have a decent back up system, patch process and a current end point security solution in place.”
Gavin Millard, Technical Director, Tenable: “If this attack turns out to be leveraging the same vulnerabilities WannaCry leveraged to spread, or other known bugs that have had patches available for months, there are going to be some awkward conversations between IT teams that failed to patch or protect and businesses affected. The publicity around WannaCry couldn’t have been larger, probably eclipsing Heartbleed, yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously.”
See also: How to plug one of the most overlooked security vulnerabilities for any business, WannaCryptor: what is it and how do you know if your business has been attacked?, WannaCryptor: what to do if your business comes under attack from this ransomware, In the wake of a WannaCryptor: how to prevent ransomware attacks in your business.