Why Africans should be worried about PETYA 0 944

  • The malicious software has been identified as a modified version of a previously known ransomware, called Petya or Petrwrap, that has been substantially altered.
  • Due to its unique characteristics, it has been dubbed as NotPetya and ExPetya, which is currently detected by ESET as Win32/Diskcoder.C Trojan.
  • NotPetya can be termed as a worm, which can self-replicate across multiple networks. Petya uses two primary methods to spread across networks. Execution across network shares and SMB exploits
  • The current global ransomware trend utilises the EternalBlue Exploit in order to take advantage of the vast use of the Windows Operating System.
  • More than 80% of enterprise servers and endpoints in the African Digital Economy run on the Windows Operating System.
africans-worried-petya

It all begins with the MS17-010 Exploit

The EternalBlue Exploit, otherwise known as MS17-010, developed by the NSA and pilfered by the Shadow Brokers continues to open opportunities for malicious malware authors as fresh ransomware attacks continue to ravage Europe while spreading through the globe at an alarming pace.

Notably, it has become evident that in the realm of cybersecurity, the adage of once bitten, twice shy, seldom applies as unpatched computer systems have been utilised for a second time by cybercriminals to achieve exponential infection rates, reminiscent of the WannaCry nightmare that the globe experienced only two months ago.

NotPetya

The malicious software has been identified as a modified version of a previously known ransomware, called Petya or Petrwrap, that has been substantially altered, prompting a debate among researchers over whether it is new malware.

Due to its unique characteristics, it has been dubbed as NotPetya and ExPetya, which is currently detected by ESET as Win32/Diskcoder.C Trojan. If it successfully infects the MBR (Master Boot Record), it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.

How does NotPetya replicate?

In many ways, NotPetya can be termed as a worm, which can self-replicate across multiple networks. Petya uses two primary methods to spread across networks. These include:

  • Execution across network shares: It attempts to spread to the target computers by copying itself to [COMPUTER NAME]\\admin$ using the acquired credentials. It is then executed remotely using either PsExec or the Windows Management Instrumentation Command-line (WMIC) tool. Both are legitimate tools.
  • SMB exploits: It attempts to spread using variations of the EternalBlue and EternalRomance exploits.

Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved. It achieves primary access through using phishing techniques to trick administrators into running the malware with high privileges.

What institutions have been adversely affected?

africans-worried-petya

The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack. The attack has even affected operations at the Chernobyl nuclear power plant, which has switched to manual radiation monitoring as a result of the attack.

Infections have also been reported in more isolated devices like point-of-sale terminals and ATMs. The virus has also spread internationally. The Danish shipping company Maersk has also reported systems down across multiple sites, including the company’s Russian logistics arm Damco.

The virus also reached servers for the Russian oil company Rosneft, although it’s unclear how much damage was incurred. There have also been several recorded cases in the United States, including the pharmaceutical company Merck, a Pittsburgh-area hospital, and the US offices of law firm DLA Piper.

The attacks have been indiscriminate across every vulnerable vertical as institution after institution falls short against the unique threat posed by NotPetya.

Why Africans should be concerned about the current global ransomware trend

The current global ransomware trend, of utilising the EternalBlue Exploit in order to take advantage of the vast use of the Windows Operating System should send chills down the spines of any executive worth his salt in the African Digital Market for the following reasons.

Firstly, more than 80% of enterprise servers and endpoints in the African Digital Economy run on the Windows Operating System, thus exposing majority of our organisations to the next-generational strains of ransomware being designed by savvy malware authors. Moreover, a significant percentage of these Windows systems are run on legacy platforms such as XP and Windows Vista which exponentially increase the probability that these systems are probably unpatched.

Secondly, there is an astounding number of citizens who are unaware of the cybersecurity risks present within their daily lives. Kenya, serves as a key example to the plight of the African digital economy. With an 85.3% internet penetration rate, Kenya boasts a wealth of 37.7m netizens, actively contributing to their digital ecosystem.

Moreover, due to the proliferation of mobile banking, internet banking continues to rise within the region. However, contrary to logical perception, about 90% of Kenya’s netizens remain unaware of the increased cyber risks within their digital market. This poses a unique and advanced risk as ransomware’s primary source of entry is through A

In conclusion, new strains of ransomware seem to tactically replicate across networks utilising unpatched Windows systems and untrained company personnel through phishing e-mails to wreak havoc across targeted networks. The African Digital Economy is especially vulnerable to these risks as they exploit our unique weaknesses.

Our recommendations:

  1. Invest in new-school cybersecurity awareness training.
  2. Deploy reputable endpoint protection.
  3. Strengthen your business continuity capabilities.
  4. Evaluate and Patch Installed Software.
  5. Monitor access rights.
Previous ArticleNext Article

Ransomware Protection Crucial to Enterprise 0 275

Ransomware

Ransomware is by far the biggest threat among Enterprises.  So what is Ransomware? It is a malicious code that blocks or encrypts the contents of a device and demands a ransom to restore access to the data.

According to research done by ESET,  Companies named ransomware their number one concern.

In response to customer needs and concerns, ESET integrated Ransomware Shield into its security solutions. ESET has long been providing its customers with very good behavior-based malware detection and also with Host-based Intrusion Prevention System (HIPS) that allows users to set custom rules for the protection against ransomware. However, should something slip past the 11 other security layers, Ransomware Shield will be automatically activated.

While ransomware infection often starts with clicking a suspicious link or a fictitious invoice, ESET found that email remains the most common distribution method.

To combat these scenarios, enter ESET Dynamic Threat Defense (EDTD). EDTD provides another layer of security for ESET products like Mail Security and Endpoint products. It utilizes a cloud-based sandboxing technology and multiple machine learning models to detect new, never before seen type of threats. In result, attachments that were classified as malicious are stripped off the email and the recipient gets information about the detection.

To learn more about how ESET can protect your business, and to book a FREE in house Cybersecurity Training Session for your employees, please sign up below.

Free Training

Interview: Addressing the Six Biggest Cybersecurity Challenges for Enterprise 0 193

cybersecurity challenges enterprise
Ken Kimani, Channel Manager of ESET East Africa, introduces the 6 biggest cybersecurity challenges for enterprises

Enterprises are under constant attack from cybersecurity threats resulting in the loss of millions in revenue annually. Factors such as ransomware, targeted attacks, insufficient network visibility, various operating systems in an organization, bad security behaviour among office staff, lack of skilled cybersecurity workforce and the level of tolerance among staff are the major causes of cyber-attacks in the country.

To mitigate these issues, ESET East Africa offers free training, suitable for all skill levels to help educate enterprises on the importance of cybersecurity.

Subscribe to our newsletter to find out more about this training, our enterprise offering and to follow our series on the 6 Biggest Cybersecurity Challenges for Enterprises.