Bitcoins fund more ransomware attacks

Security analysts found that the Petrwrap ransomware attack, initiated June 27, 2017, in the Ukraine, shares characteristics with WannaCry, a May 2017 attack initiated in Europe that rapidly spread to 150 countries. A criminal group known as the Shadow Brokers claimed responsibility for the WannaCry attack, claiming they stole the malware from U.S. intelligence agencies. Both the Petrwrap and WannaCry cyberattacks exploited a common vulnerability in Microsoft Windows and then encrypted computers using a private key, demanding a $300 bitcoin ransom from victims who wanted to retrieve their data, analysts stated.

Microsoft analysts investigating the incident said Petrwrap is designed to spread and multiply and uses email as its primary delivery system. They also noted that most ransomware spreads by email and warned users to exercise caution when opening unknown files. The security community is concerned by the massive scale of the Petrwrap attack, which affected ATMs, POS systems, banks, and state telecom and transportation systems throughout the Ukraine, before spreading internationally. Reported attacks in the United States include the pharmaceutical company Merck, a hospital in Pittsburgh and a U.S. law firm.

Criminals emboldened

Ryan Wilk, Vice President, Customer Success at NuData Security, said the massive scale and success of last month's WannaCry attack has likely emboldened cybercriminals worldwide and is another example of how pervasive the malware problem has become. "There is a definite need for a multilayered approach that includes employee education about unusual links, what phishing emails look like and the concern for social engineering," he stated. "There is the organizational need to stay up to date with patches, routine backups and impermeable barriers to entry."

Wilk added that IT infrastructures need to be built from the ground up to protect users and data through multifactor authentication that includes passive biometrics and behavioral analytics. "Behavior-based authentication can vastly increase security of automated attacks and account takeovers," he said. "This rising trend must be countered with proactive measures to ensure ransomware and ransomware-as-a-service become ineffective."

Origins unknown

Security analysts and researchers agree that Petrwrap is a straightforward ransomware program that attacks older versions of Windows. They urge users to continuously update their Windows software, back up their data, and exercise caution before opening any email, even if it appears to come from a trusted source.

Opinions are mixed in the security community about the origin and authors of Petrwrap. Kaspersky researcher Costin Raiu initially suggested Petrwrap was a variant of the Petya ransomware scheme, setting off a Twitter storm among analysts eager to investigate the code. Kaspersky later issued a statement, indicating that Petrwrap had no connection to Petya.

"Kaspersky's lab analysts are investigating the new wave of ransomware attacks targeting organizations across the world," the company's researchers stated. "Our preliminary findings suggest that it is not a variant of Petya ransomware as originally reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya."

Editor's Note: Editor's Note: The Green Sheet offices will be closed Mon., July 3, and Tues., July 4, 2017. We'll post our next news story on Wed., July 5. Happy Fourth of July!

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.