PETYA Darwinism applied to cyberspace – CSO Online

By John Bryk, CSO | Jun 27, 2017 11:27 AM PT

Opinions expressed by ICN authors are their own.

Your message has been sent.

There was an error emailing this page.

On the morning ofJune 27th, reports began surfacing of widespread attacks against Ukrainian critical infrastructure sectors that included aviation, banking, and electricity. An unknown malware had begun affecting IT systems in these sectors. Business systems were made unavailable and normal processes stopped. Fortunately, no operational technology, the technology that runs the energy grid, was reported to be affected.

Affected systems were widespread. They included Ukrenergo, the countrys electric transmission company, and Kyivenergo, the distribution company serving the Kiev region, While Ukrenergy reported no outages, Kyivenergy was forced to shut down all administratve systems, awaiting permission from the Ukraines Security Service (SBU) before restarting.

Others victims in Ukraine and internationally included:

The attack occurred, probably not by chance, only hours after the car bombing murder of Col. Maxim Shapoval of the Ukraine Chief Directorate of Intelligence and a day before Ukraines Constitution Day.

The offending malware was soon identified at PETYA, PETRYA, or PETwrap, depending upon the source. PETYA reportedly utilized the the NSAs leaked EternalBlue, the same Windows SMBv1 vulnerability as WannaCry, PETYA does not initially encrypt individual files, but replaces the master boot record (MBR), leaving the entire system unusable. Should the MBR not be available, it then goes on to encrypt the individual files.

Perhaps the most valuable lesson we can learn from this attack is that Charles Darwin was right. It's survival of the fittest; right along with that goes the smartest. Unless some completely new vector is discovered in action with this new threat, victims of PETYA have no excuse. The SMB vulnerability in question had been patched by Microsoft prior to WannaCry's May outbreak. During the WannaCry outbreak, Microsoft provided additional patches for legacy operating systems, those no longer supported by normal updates, like Windows XP and Server 2003. Even with these extraordinary measures to provide users with the protection they needed, some failed to update and/or patch.

Those who failed to take action and install patches handed to them on a silver platter are now victims of PETYA, and themselves sources of the new infection to others. Akin to a neighbor with a garage full of dynamite, this is the kind of negligence that endangers the entire cyber neighborhood.

Information Sharing and Analysis Centers (ISACs) in the U.S. were able to get ahead of the infection thanks to early warning and quick action. The Downstream Natural Gas and Electric ISACS combined forces to collect, analyze, and alert their sector members, providing early indicators and even links to algorithms successfully used to earlier decrypt the PETYA ransomware. Having just recently experienced the WannaCry worm, their members were patched and defended. There were no reports of infection in electric or downstream natural gas sectors.

This article is published as part of the IDG Contributor Network. Want to Join?

John Bryk retired from the U.S. Air Force as a colonel after a 30-year career, last serving as a military diplomat in central and western Europe and later as a civilian with the Defense Intelligence Agency. As the intelligence analyst for the DNG-ISAC, he focuses on the protection of our nation's natural gas critical cyber infrastructure.