Less than seven weeks after the WannaCry cyberattack hit 2 lakh computers in 150 countries, another cyberattack has the international community scrambling to assert a durable defence.
Since Tuesday, 27 June, another strain of ransomware has caused serious disruptions around the world. It has been informally named “Petypa” (though Kaspersky Lab has redubbed the malware NotPetya).
Petya has brought hundreds of major organisations and big firms to a standstill. Victims include the Chernobyl Nuclear Power Plant, British advertising giant WPP, French construction materials company Saint-Gobain, and Russian steel and oil firms Evraz and Rosneft.
— Ankit singh (@ankit5934) June 27, 2017
What this means is that if a person decides to pay the ransom amount, after the payment there is no way for them to contact the attacker for a decryption key to unlock their computer.
— Anis (@0xUID) June 27, 2017
The net casualties of the attack are still unclear. The initial targets were companies in Ukraine, Russia and Poland, with the attacks spreading to Europe, Asia and the Americas rapidly. At least 2,000 attacks were recorded by Kaspersky Lab in North America alone as of Tuesday morning (EST).
The perpetrators of the attack are yet to be tracked. The US Homeland Security, INTERPOL and other international bodies are working to contain the attack and undo the damage. “With there being no global kill switch for this one, we’ll continue to see the numbers rise in different parts of the world as more vulnerable systems become more exposed,” Bloomberg quoted Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, as saying.
What is ransomware?
The term “ransomware” refers to malicious programs that are installed on a device by (for example) clicking on infected links or attachments. This is particularly true when the device is badly protected, for example, when software installed there has not been updated for a long time. The malicious software prevents access to data and systems – and the affected user is prompted to pay a ransom for the release of his data.
However, a payment usually does not lead to the release of the data.
— Forbes (@Forbes) June 27, 2017
What is Peyta?
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Microsoft Windows-based systems, demanding a payment in Bitcoin in order to re-gain access to the system.
Variants of Petya were first seen in March 2016, which propagated via infected email attachments. The recent attack involves a new variant of Petya that utilises the EternalBlue vulnerability previously used by WannaCry earlier in the year.
WannaCry exploited a loophole in operating systems known as EternalBlue. While Petya exploited the same loophole, it also used more fundamental structural defects. Moreover, while WannaCry targeted smaller, more vulnerable systems, Petya has initiated its attack by targeting large corporate systems, which explains how the malware spread so rapidly.
McAfee engineer Christiaan Beek stated that this variant was designed to spread quickly, and that it had been targeting “complete energy companies, the power grid, bus stations, gas stations, the airport, and banks”.
How did Petya affect India?
Petya hit operations at one of the three terminals at Jawaharlal Nehru Port Trust (JNPT) in Mumbai. JNPT is India’s largest container port and is operated by AP Moller-Maersk, a Danish business conglomerate that was among the worst hit by the cyberattack.
Cyber attack update 09:06 CEST pic.twitter.com/kInQZz4Wyv
— Maersk (@Maersk) June 28, 2017
“An unforeseen situation has developed at Jawaharlal Nehru Port Trust (JNPT), Sheva owing to disruption in the operations of one of the private terminal operator, APM Maersk at JNPT. It has been informed by the private Terminal Operator that this disruption is a consequence of a worldwide disruption being faced by them because of a cyber attack,” India’s shipping ministry said in a statement.
“The (shipping) ministry has confirmed that one terminal at JNPT has been affected due to the attack at Maersk’s Hague office,” an official told The Times of India, adding that the government will share a report or a statement as soon as it comes to this effect.
Moller-Maersk, meanwhile, said, “We are responding to the situation to contain and limit the impact and uphold operations.” The group is “assessing and managing” the situation to minimise the impact on its customers and partners.
A high-level meeting has been called in the cabinet secretariat, which is to be attended by officials from CERT-In (Indian government’s cyber security arm) and the shipping ministry. The meeting will take place at 3:45 pm on Wednesday, 28 June. A press statement from the Prime Minister’s Office is also expected.