Delivery in day(s): 4
ITC 595 Information Security Proof Reading Service
This is the assessment 2 of ITC 595 Information Security
1. Report on Petya Ransomware
1.1. The Problem of Petya Ransomware
On 27 July, Petya cyber attack took place which affected servers of the computers globally. The first it occurred in Russia and Ukraine and within few hours it spread to westward countries such as Romania, Netherlands, Norway, France, Spain, and Britain. It affected servers of the computers at Russia’s biggest oil company and shut down many multinational company businesses which include Australian global law firm. This is malicious software which creates encryption locking system to the files in the computer which is unbreakable and asks for ransom in virtual currency Bitcoin in order to remove the lock from the files.
In Australia, there is a global firm named as DLA Piper became the victim of the attack in one night. The problem occurred was it affected through login of credentials in the computers and in the morning they were not able to login in the systems. The next company that comes in the victim list is the Ap Moller-Maersk. It is Denmark oil based company which gave the confirmation of an attack on several multiple sites and business units. However, it was unclear about the attack on that company, according to the ABC news.
1.2. Working of the Ransomware
Experts across the world reviewed that this ransomware dubbed the GoldenEye and it is an existing ransom ware family which is called Petya. According to the Romanian security firm Bitdefender, this ransomware uses two different layers of encryption which is high effort work to break that code. However, Russian security software company Kaspersky lab suggested that a virus is a form of Petya but it can be another form of the virus which is not been discovered (ABC news, 2017).
This Petya ransomware target one system of the company by encrypting the files. After that, this malicious software spreads across the organization through that infected system taking the medium of EternalBlue Vulnerability in Microsoft windows or by another method of two windows administrative tools. This ransomware opts for a multiple choice mechanism in which it tries to encrypt though one method if it did not work then try another mechanism to encrypt the file. When it encrypts the files lock it with some digital key and demands Bitcoin currency in order to unlock the files. The outcomes which can be seen is that they are using the same address for Bitcoin transfer from every victim. They force the victim to use the same email address to communicate and due to this, the victim cannot communicate with hacker in order to request the decryption key (Solon & Hern, 2017).
This threat started through a software updating mechanism that was used in the program of accounting in the companies working with the government of Ukraine. That is why many of the victims are from Ukraine such as government organization, banks, state power utilities, airport, and metro system. The second attack came from the use of phishing use of malware-laden attachment through emails. It tries to spreads internally through offline LAN and external connections. The main part of this attack is to target the institutions of the Ukraine.
1.3. Reasons for the occurrence of Ransomware
Many of the experts found that it is hard to link to the different attacks at different nations. It is the fault of the Ukraine government employees that they screwed up due to their carelessness. The software involves a partnership with the traditional ransomware system and the result was this that they are still infecting the machines which can be a high risk for future attacks. The major hackers who were beyond this attack were still unknown. They belonged to any community of the common criminals or state agents. These type of hackers, however, uses the tactics of criminal and make the attack to survive for future (Brandom, 2017).
1.4. Possible Solutions
The possible solutions were given by many of the organizations and software companies. One of the suggestions is given by Kaspersky which says that “Each and every IP on the local network and each server should be checked for open ports of TCS. Those machines which include these ports open are mostly attacked by the ransom ware. When the topic comes for decrypting the files, the unavailability of the solution makes the case more complicated. The effect of the ransomware is on the emails. Those emails which were used by the hackers are now blocked by the service providers. The only solution to this is past backup of the encrypted data. According to the tweet of the HackerFantastic, it was told that when the machine reboots, the message box of ransomware will appear and an immediate shutdown of the system causes the stoppage of the spread of the attack. This means if the power is off, files are safe (Dhapola, 2017).
Some of the organizations had put forward some of the tricks to minimize the exposure and spread of Petya. One of them is the use of patching by immediate apply of Microsoft Server Message Block (SMB). The second one is to keep a careful watch on the possible danger attachments with the phishing emails. However, it is not confirmed that Petya may use these phishing attachments and possibility will be in future. The third one is to disable the SMBv1, PsExec, and WMI (windows management instrumentation) in order to control the spread of Petya across the servers. The fourth trick is to delete the scheduled task which is used by Petya to reboot the machine will stop the encryption of the master file table from the system. If the reboot of the machine takes place, it will encrypt the file and demand the ransom (Pauli, 2017).
2. Report on Wannacry Ransomware Attack (May 2017)
2.1. What was the problem?
The ransomware cyber-attack hits a massive number of computers across the 150 countries. The police agency of the European Union warned the people who were going for work that when they login their credentials into the system can grow the effect of the ransomware. Some of the Australian companies are also affected by the attack of the ransomware ‘Wannacry’. The hackers uncovered the vulnerability by the national security agency and released it on the internet. It infects the computer and encrypts the files and corrupt all the data with addition to this, a program was also there to demand the ransom from the victim in a specific deadline of time. However, the price amount increases with the countdown and if the countdown finishes then the files associated with the encryption gets deleted. The FBI department of justice and many tech firms suggest not to pay the ransom to these hackers. This will only make their potential higher for doing large attacks and possible to the same victim (Sherr, 2017).
2.2. How was the attack carried out?
This attack firstly started at UK’s health service department where major computer was hacked and that is why it is also called as WannaCrypt. Hackers normally use the currency of Bitcoin for ransom as it is an untraceable digital currency used on the cloudy parts of the internet. The hackers used the hack property which was involved in the appearance of the Wannacry ransomware which is basically from NSA. The files in the NSA are kept as a tool which has some potential to use for some issues generated in the software. A group of hackers called as shadow hackers released a cache of stolen documents from the NSA which includes details of the vulnerability of Wannacry (Sherr, 2017).
2.3. Who were affected and how?
The victims of the cyber attack are hospitals, universities, manufacturers and government organizations of the Britain, China, Russia, Germany and Spain. It infected the global companies like FedEx and Nissan with the malware. China was greatly affected as the digital payment at the gas stations were shut down and this condition forced the customers to bring the cash. The Deutsche Bahn is the railway company in the Germany which was affected by the attack and due to this attack their information displays were non-operative. The Hitachi company of the Japan found a problem regarding sending and receiving of the emails and in opening the attachment with the emails.
In Russia, the central park, Russian railways, interior ministry and Megafon communication company were severely hit by the Wannacry ransom ware. Telefonica Telecom Company in Spain, National Health Service in the UK, state police in India and department of homeland security in the US are the victims of loss of data due to this cyber attack. However, it affects only those systems which have Microsoft Windows operating system. Microsoft launched new updates in the march and after that this attack occurred and hit the windows XP, Vista, 7 and 8. It does not affect the Mac, iPhone, and Android devices (Wattles & Disis, 2017).
The ransomware affects the service industry mostly such as recruitment agencies that have a large amount of data of the candidates and handles them through the online services and application. This online data are the focus for the hackers to attack for ransom. Online applications, CVs, portfolios, and contracts may contain the ransomware and when the recruiter download these data then the virus enters into the system and affects the associated data.
The main problem is that this ransomware is programmed such that it cannot be detected by the antivirus. The main concern which the companies faced after the attack includes the cost of replacing the equipment, loss of confidential data, decreases system operating time, affects the security reputation of the organization and the penalties which are going to apply to the organization. Many questions arise when a cyber attack hits the organization. These are: what are the steps to be taken immediately after that? How would organization cope up with that attack? What would happen if the hackers sell out the data to the competitive organization? (Gallagher, n.d.)
2.4. What could have been done to prevent the attack?
The possible solutions include while handling the Wannacry ransomware includes immediate disconnection of the system from the networks, Ethernets, and Wi-fi. This will control the spreading of the malware to other systems. The second possible solution is to keep always latest Microsoft security updates and standard updated antivirus. The third solution is keeping a regular backup of the data which is highly private and important for the organization. If the system has windows XP then the best thing to ensure the security is to install the Microsoft’s emergency security update. Further, it is more advisable to use latest supported versions of the windows such as windows 10.
That system which uses a business running system of windows has to apply the Microsoft patch MS17-010 immediately after the ransomware attack. The second solution for business accessing Windows is to bound the traffic on the publically accessed SMB or it should be immediately blocked. The third solution which can be considered when the attack took place is to contact the Federal government’s CERT Australia on 1300 172 499 and the incident should be reported to the Australian Cybercrime Online Reporting Network (ACORN). The last solution but the major one is to create awareness and training programs about phishing emails which may include any types of malware in the organization (Pauli, 2017)..
ABC news. (2017). Global ransomware attack affects Australian workers. Retrieved from http://www.abc.net.au/news/2017-06-28/ransomware-virus-hits-computer-servers-across-the-globe/8657626
Brandom, R. (2017). The Petya ransomware is starting to look like a cyberattack in disguise. Retrieved from https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russia
Dhapola, S. (2017). Petya ransomware cyber attack: How it started, what it does, and how to protect your PC. Retrieved from http://indianexpress.com/article/technology/tech-news-technology/petya-ransomware-cyberattack-explained-hits-europe-what-it-does-how-to-protect-your-pc-and-more-4725476/
Gallagher, A. What is ransomware? How does it affect businesses?. Retrieved from https://www.ajg.com.au/ransomware%20risk
Pauli, D. (2017). Cyber Security: Defence against the Petya ransomware outbreak. Retrieved from https://exchange.telstra.com.au/defence-against-the-petya-ransomware-outbreak/
Pauli, D. (2017). Security tips to avoid global WannaCry ransomware cyber attacks. Retrieved from https://exchange.telstra.com.au/security-tips-avoid-global-wannacry-ransomware-cyber-attacks/
Sherr, I. (2017). WannaCry ransomware: Everything you need to know. Retrieved from https://www.cnet.com/au/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/
Solon, O., & Hern, A. (2017). 'Petya' ransomware attack: what is it and how can it be stopped?. Retrieved from https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how
Wattles, J., & Disis, J. (2017). Ransomware attack: Who's been hit. Retrieved from http://money.cnn.com/2017/05/15/technology/ransomware-whos-been-hit/index.html