fbpx
Wikipedia

2017 Ukraine ransomware attacks

January 01, 1970

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms.[10] Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia.[3][11][12] ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.[2] On 28 June 2017, the Ukrainian government stated that the attack was halted.[13] On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.[14]

2017 Ukraine ransomware attacks
Petya's ransom note displayed on a compromised system
Date27–28 June 2017 (2017-06-27 – 2017-06-28)
Location Ukraine[1]
Other locations
TypeCyberattack
CauseMalware, ransomware, cyberterrorism
OutcomeAffected several Ukrainian ministries, banks, metro systems and state-owned enterprises
Suspects Russia (according to statements of Ukrainian authorities, American Michael N. Schmitt and the CIA.)[5][6][7][8][9]
For the May 2017 worldwide EternalBlue WannaCry cyberattack, see WannaCry ransomware attack.

Approach edit

Security experts believe the attack originated from an update of a Ukrainian tax accounting package called MeDoc (M.E.Doc [uk]), developed by Intellect Service.[2] MeDoc was widely used among tax accountants in Ukraine,[15] and the software was the main option for accounting for other Ukrainian businesses, according to Mikko Hyppönen, a security expert at F-Secure.[2] MeDoc had about 400,000 customers across Ukraine, representing about 90% of the country's domestic firms,[8] and prior to the attack was installed on an estimated 1 million computers in Ukraine.[16]

MeDoc provides periodic updates to its program through an update server. On the day of the attack, 27 June 2017, an update for MeDoc was pushed out by the update server, following which the ransomware attack began to appear. British malware expert Marcus Hutchins claimed "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software."[2] The company that produces MeDoc claimed they had no intentional involvement in the ransomware attack, as their computer offices were also affected, and they are cooperating with law enforcement to track down the origin.[15][17] A similar attack via MeDoc software was carried out on 18 May 2017 with the ransomware XData. Hundreds of accounting departments were affected in Ukraine.[18]

The cyberattack was based on a modified version of the Petya ransomware. Like the WannaCry ransomware attack in May 2017, Petya uses the EternalBlue exploit previously discovered in older versions of the Microsoft Windows operating system. When Petya is executed, it encrypts the Master File Table of the hard drive and forces the computer to restart. It then displays a message to the user, telling them their files are now encrypted and to send US$300 in bitcoin to one of three wallets to receive instructions to decrypt their computer. At the same time, the software exploits the Server Message Block protocol in Windows to infect local computers on the same network and any remote computers it can find. Additionally, the NotPetya software was found to use a variant of Mimikatz, a proof-of-concept exploit found in 2011 that demonstrated that user passwords had been retained in computer memory within Windows, exploiting these passwords to help spread across networks.[19]

The EternalBlue exploit had been previously identified, and Microsoft issued patches in March 2017 to shut down the exploit for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. However, the WannaCry attack progressed through many computer systems that still used older Windows operating systems or older versions of the newer ones, which still had the exploit, or that users had not taken the steps to download the patches. Microsoft issued new patches for Windows XP, Windows Server 2003 and Windows 8 the day after the WannaCry attack. Security expert Lesley Carhart stated that "Every method of exploitation that the attack used to spread was preventable by well-documented means."[20]

Security experts found that the version of Petya used in the Ukraine cyberattacks had been modified, and consequently was renamed NotPetya or Nyetna to distinguish it from the original malware. NotPetya encrypted all of the files on the infected computers, not just the Master File Table, and in some cases the computer's files were completely wiped or rewritten in a manner that could not be undone through decryption.[21][22] Some security experts saw that the software could intercept passwords and perform administrator-level actions that could further ruin computer files. They also noted that the software could identify specific computer systems and bypass infection of those systems, suggesting the attack was more surgical in its goal.[20] Unlike the WannaCry software, a "kill switch" was never found in NotPetya, which could have been used to immediately stop its spread.[23] According to Nicholas Weaver of the University of California the hackers had previously compromised MeDoc "made it into a remote-control Trojan, and then they were willing to burn this asset to launch this attack."[8]

Attack edit

Further information: Petya (malware)

During the attack the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline.[24] Several Ukrainian ministries, banks, metro systems and state-owned enterprises (Boryspil International Airport, Ukrtelecom, Ukrposhta, State Savings Bank of Ukraine, Ukrainian Railways) were affected.[25] In the infected computers, important computer files were overwritten and thus permanently damaged, despite the malware's displayed message to the user indicating that all files could be recovered "safely and easily" by meeting the attackers' demands and making the requested payment in Bitcoin currency.[26]

The attack has been seen to be more likely aimed at crippling the Ukrainian state rather than for monetary reasons.[15] The attack came on the eve of the Ukrainian public holiday, Constitution Day (celebrating the anniversary of the approval by the Verkhovna Rada (Ukraine's parliament) of the Constitution of Ukraine on 28 June 1996).[27][28][29] Most government offices would be empty, allowing the cyberattack to spread without interference.[15] In addition, some security experts saw the ransomware engage in wiping the affected hard drives rather than encrypting them, which would be a further disaster for companies affected by this.[15]

A short time before the cyberattack began, it was reported that a senior intelligence officer and head of a special forces detachment unit of the Ukrainian Chief Directorate of Intelligence, colonel Maksym Shapoval, was assassinated in Kyiv by a car bomb.[30] Former government adviser in Georgia and Moldova Molly K. McKew believed this assassination was related to the cyberattack.[31]

On 28 June 2017 the Ukrainian government stated that the attack was halted, "The situation is under complete control of the cyber security specialists, they are now working to restore the lost data."[13]

Following the initial 27 June attack, security experts found that the code that had infected the M.E.Doc update had a backdoor that could potentially be used to launch another cyberattack. On seeing signs of another cyberattack, the Ukrainian police raided the offices of MeDoc on 4 July 2017 and seized their servers. MeDoc's CEO stated that they were not aware there had been a backdoor installed on their servers, again refuted their involvement in the attack, and were working to help authorities identify the source.[16][32] Security company ESET found that the backdoor had been installed on MeDoc's updater service as early as 15 May 2017, while experts from Cisco Systems' Talos group found evidence of the backdoor as early as April 2017; either situation points to the cyberattack as a "thoroughly well-planned and well-executed operation".[33] Ukrainian officials have stated that Intellect Service will "face criminal responsibility", as they were previously warned about lax security on their servers by anti-virus firms prior to these events but did not take steps to prevent it.[34] Talos warned that due to the large size of the MeDoc update that contained the NotPetya malware (1.5 gigabytes), there may have been other backdoors that they have yet to find, and another attack could be possible.[33]

Attribution edit

On 30 June, the Security Service of Ukraine (SBU) reported it had seized the equipment that had been used to launch the cyberattack, claiming it to have belonged to Russian agents responsible for launching the attack.[35] On 1 July 2017 the SBU claimed that available data showed that the same perpetrators who in Ukraine in December 2016 attacked the financial system, transport and energy facilities of Ukraine (using TeleBots and BlackEnergy)[36] were the same hacking groups who attacked Ukraine on 27 June 2017. "This testifies to the involvement of the special services of Russian Federation in this attack," it concluded.[7][37] (A December 2016 cyber attack on a Ukrainian state energy computer caused a power cut in the northern part of the capital, Kyiv).[7] Russia–Ukraine relations are at a frozen state since Russia's 2014 annexation of Crimea followed by a Russian government-backed separatist insurgency in eastern Ukraine in which more than 10,000 people had died by late June 2017.[7] (Russia has repeatedly denied sending troops or military equipment to eastern Ukraine).[7] Ukraine claims that hacking Ukrainian state institutions is part of what they describe as a "hybrid war" by Russia on Ukraine.[7]

On 30 June 2017, cyber security firm ESET claimed that the Telebots group (which they claimed had links to BlackEnergy) was behind the attack: "Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware's spreading capabilities. That's why the malware went out of control."[7] ESET had earlier reported that BlackEnergy had been targeting Ukrainian cyber infrastructure since 2014.[38] In December 2016, ESET had concluded that TeleBots had evolved from the BlackEnergy hackers and that TeleBots had been using cyberattacks to sabotage the Ukrainian financial sector during the second half of 2016.[39]

Around the time of 4 July raid on MeDoc, the $10,000 in bitcoin already collected in the listed wallets for NotPetya had been collected, and experts believed it was used to buy space on the anonymous Tor network. One message posted there purportedly from the NotPetya authors demanded 100,000 bitcoin (about $2.6 million) to halt the attack and decrypt all affected files.[16] On 5 July 2017, a second message purportedly from the NotPetya authors was posted in a Tor website, demanding those that wish to decrypt their files send 100 bitcoin (approximately $250,000). The message was signed with the same private key used by the original Petya ransomware, suggesting the same group was responsible for both.[40]

According to reports cited in January 2018 the United States Central Intelligence Agency claimed Russia was behind the cyberattack, with Russia's Main Intelligence Directorate (GRU) having designed NotPetya.[41] Similarly, the United Kingdom Ministry of Defence accused Russia in February 2018 of launching the cyberattack, that by attacking systems in the Ukraine, the cyberattack would spread and affect major systems in the United Kingdom and elsewhere. Russia had denied its involvement, pointing out that Russian systems were also impacted by the attack.[42]

Wired technology writer Andy Greenberg, in reviewing the history of the cyberattacks, said that the attacks came from a Russian military hacker group called "Sandworm". Greenberg asserted that Sandworm was behind the 2016 blackouts in Kyiv, among other events. The group had been focusing on hacking into Ukraine's financial sector, and sometime in early 2017, had been able to gain access to M.E. Doc's update servers, so that it could be used maliciously to send out the cyberattack in June 2017.[19]

Affected companies edit

Companies affected include Antonov, Kyivstar, Vodafone Ukraine, lifecell, TV channels STB, ICTV and ATR, Kyiv Metro, UkrGasVydobuvannya (UGV), gas stations WOG, DTEK, EpiCentre K, Kyiv International Airport (Zhuliany), Prominvestbank, Ukrsotsbank, KredoBank, Oshchadbank and others,[13] with over 1,500 legal entities and individuals having contacted the National Police of Ukraine to indicate that they had been victimized by 27 June 2017 cyberattack.[43] Oshchadbank was again fully functional on 3 July 2017.[44] Ukraine's electricity company's computers also went offline due to the attack; but the company continued to fully operate without using computers.[8]

While more than 80% of affected companies were from Ukraine,[needs update] the ransomware also spread to several companies in other geolocations, due to those businesses having offices in Ukraine and networking around the globe. Non-Ukrainian companies reporting incidents related to the attack include food processor Mondelez International,[45] the APM Terminals subsidiary of international shipping company A.P. Moller-Maersk, the FedEx shipping subsidiary TNT Express (in August 2017 its deliveries were still disrupted due to the attack),[46] Chinese shipping company COFCO Group, French construction materials company Saint Gobain,[47] advertising agency WPP plc,[48] Heritage Valley Health System of Pittsburgh,[49] law firm DLA Piper,[50] pharmaceutical company Merck & Co.,[51] consumer goods maker Reckitt Benckiser, and software provider Nuance Communications.[52] A Ukrainian police officer believes that the ransomware attack was designed to go global so as to distract from the directed cyberattack on Ukraine.[53]

The cost of the cyberattack had yet to be determined, as, after a week of its initial attack, companies were still working to mitigate the damage. Reckitt Benckiser lowered its sales estimates by 2% (about $130 million) for the second quarter primarily due to the attack that affected its global supply chain.[52][54] Tom Bossert, the Homeland Security adviser to the President of the United States, stated that the total damage was over US$10 billion.[19] Among estimated damages to specific companies included over US$870 million to Merck, US$400 million to FedEx, US$384 million to Saint-Gobain, and US$300 million to Maersk.[19]

Reaction edit

Secretary of the National Security and Defence Council of Ukraine Oleksandr Turchynov claimed there were signs of Russian involvement in the 27 June cyberattack, although he did not give any direct evidence.[55] Russian officials have denied any involvement, calling Ukraine's claims "unfounded blanket accusations".[35] NATO Secretary-General Jens Stoltenberg vowed on 28 June 2017 that NATO would continue its support for Ukraine to strengthen its cyber defence.[56] The White House Press Secretary released a statement on 15 February 2018 attributing the attack to the Russian military, calling it "the most destructive and costly cyberattack in history."[57]

IT-businessman, chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine.[58]

See also edit

References edit

  1. ^ a b c d e f Rothwell, James; Titcomb, James; McGoogan, Cara (27 June 2017). "Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down". The Daily Telegraph. from the original on 16 February 2018. Retrieved 5 April 2018.
  2. ^ a b c d e "Tax software blamed for cyber-attack spread". BBC News. 28 June 2017. from the original on 28 June 2017. Retrieved 28 June 2017.
  3. ^ a b c Turner, Giles; Verbyany, Volodymyr; Kravchenko, Stepan (27 June 2017). "New Cyberattack Goes Global, Hits WPP, Rosneft, Maersk". Bloomberg. from the original on 5 November 2019. Retrieved 27 June 2017.
  4. ^ "Businesses warned again to update patches as Petya ransomware hits Australian offices". Financial Review. 28 June 2017. from the original on 30 June 2017. Retrieved 3 July 2017.
  5. ^ . RNBO. Archived from the original on 19 October 2017. Retrieved 30 June 2017.
  6. ^ . Security Service of Ukraine. Archived from the original on 19 October 2017. Retrieved 4 July 2017.
  7. ^ a b c d e f g "Ukraine points finger at Russian security services in recent cyber attack". Reuters. 1 July 2017. from the original on 1 July 2017. Retrieved 1 July 2017.
  8. ^ a b c d Borys, Christian (26 July 2017). "Ukraine braces for further cyber-attacks". BBC News. from the original on 26 July 2017. Retrieved 26 July 2017.
  9. ^ Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes 13 January 2018 at the Wayback Machine Washington Post, 2018
  10. ^ Prentice, Alessandra (27 June 2017). "Ukrainian banks, electricity firm hit by fresh cyber attack". Reuters. from the original on 16 July 2019. Retrieved 27 June 2017.
  11. ^ Scott, Nicole Perlroth, Mark; Frenkel, Sheera (27 June 2017). "Cyberattack Hits Ukraine Then Spreads Internationally". The New York Times. ISSN 0362-4331. from the original on 13 April 2018. Retrieved 4 July 2017.{{cite news}}: CS1 maint: multiple names: authors list (link)
  12. ^ "Global ransomware attack causes chaos". BBC News. 27 June 2017. from the original on 27 June 2017. Retrieved 27 June 2017.
    Burgess, Matt. "There's another 'worldwide' ransomware attack and it's spreading quickly". Wired UK. from the original on 31 December 2017. Retrieved 27 June 2017.
  13. ^ a b c Cyber attack on Ukrainian government and corporate networks halted 11 May 2020 at the Wayback Machine, Ukrinform (28 June 2017)
  14. ^ "Companies still hobbled from fearsome cyberattack". Associated Press. 30 June 2017. from the original on 19 October 2017. Retrieved 3 July 2017.
  15. ^ a b c d e Kramer, Andrew (28 June 2017). "Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows". The New York Times. from the original on 29 June 2017. Retrieved 29 June 2017.
  16. ^ a b c Satter, Raphael (5 July 2017). "Ukraine says it foiled 2nd cyberattack after police raid". The Washington Post. Associated Press. Retrieved 5 July 2017.[dead link]
  17. ^ Frenkel, Sheera (27 June 2017). "Global Ransomware Attack: What We Know and Don't Know". The New York Times. from the original on 27 June 2017. Retrieved 28 June 2017.
  18. ^ Красномовец, Павел (24 May 2017). "Все, что известно про вирус-вымогатель XData: кто под угрозой и что делать". AIN.UA (in Russian). from the original on 28 June 2017. Retrieved 29 June 2017.
  19. ^ a b c d Greenberg, Andy (23 August 2018). "The Untold Story of NotPetya, the Most Devastating Cyberattack in History". Wired. from the original on 22 August 2018. Retrieved 23 August 2018.
  20. ^ a b Borys, Christian (4 July 2017). "The day a mysterious cyber-attack crippled Ukraine". BBC. from the original on 7 July 2017. Retrieved 8 July 2017.
  21. ^ Polityuk, Pavel (29 June 2017). "Global cyber attack likely cover for malware installation in Ukraine: police official". Reuters. from the original on 29 June 2017. Retrieved 29 June 2017.
  22. ^ Petroff, Alanna (30 June 2017). "Experts: Global cyberattack looks more like 'sabotage' than ransomware". CNN. from the original on 1 July 2017. Retrieved 30 June 2017.
  23. ^ Petroff, Alanna (28 June 2017). "Europol: There's no 'kill switch' for malware attack". CNN. from the original on 19 October 2017. Retrieved 30 June 2017.
  24. ^ Griffin, Andrew (27 June 2017). "Chernobyl's radiation monitoring system has been hit by the worldwide cyber attack". The Independent. from the original on 18 August 2019. Retrieved 27 June 2017.
  25. ^ Dearden, Lizzie (27 June 2017). "Ukraine cyber attack: Chaos as national bank, state power provider and airport hit by hackers". The Independent. from the original on 30 August 2019. Retrieved 27 June 2017.
  26. ^ "Cyber-attack was about data and not money, say experts". BBC News. 29 June 2017. from the original on 29 June 2017. Retrieved 29 June 2017.
    "Tuesday's massive ransomware outbreak was, in fact, something much worse". Ars Technica. 28 June 2017. from the original on 17 July 2017. Retrieved 28 June 2017.
  27. ^ 1996: THE YEAR IN REVIEW 3 March 2016 at the Wayback Machine, The Ukrainian Weekly (29 December 1996)
  28. ^ Lee, David (28 June 2017). "'Vaccine' created for huge cyber-attack". BBC News. from the original on 28 June 2017. Retrieved 28 June 2017.
  29. ^ "Cyberattack Hits Ukraine Then Spreads Internationally". The New York Times. 27 June 2017. from the original on 27 June 2017. Retrieved 28 June 2017.
  30. ^ Luhn, Alec. "Ukrainian military intelligence officer killed by car bomb in Kiev". The Guardian. from the original on 13 April 2019. Retrieved 28 June 2017.
  31. ^ McKew, Molly (27 June 2017). "A killing in Kiev shows how the West continues to fail Ukraine". The Washington Post. from the original on 27 June 2017. Retrieved 28 June 2017.
  32. ^ Stubbs, Jack (5 July 2017). "Ukraine scrambles to contain new cyber threat after NotPetya attack". Reuters. from the original on 7 July 2017. Retrieved 5 July 2017.
  33. ^ a b Goodin, Dan (5 July 2017). "Backdoor built in to widely used tax app seeded last week's NotPetya outbreak". Ars Technica. from the original on 8 July 2017. Retrieved 5 July 2017.
  34. ^ Satter, Raphael (3 July 2017). "Official: firm at center of cyberattack knew of problems". Associated Press. from the original on 5 July 2017. Retrieved 7 July 2017.
  35. ^ a b "Ukraine Says Seized Equipment Used by Russia to Launch Malware Attacks". The NY Times. Reuters. 30 June 2017. from the original on 30 June 2017. Retrieved 30 June 2017.
  36. ^ "Software: BlackEnergy, Black Energy – ATT&CK". attack.mitre.org. from the original on 19 October 2017. Retrieved 4 July 2017.
  37. ^ "Ukraine Security Service Blames Russia For Recent Cyberattack". Radio Free Europe. 1 July 2017. from the original on 1 July 2017. Retrieved 1 July 2017.
  38. ^ ‘"Russian" BlackEnergy malware strikes at Ukrainian media and energy firms 15 March 2017 at the Wayback Machine’, SC Magazine (4 January 2016)
  39. ^ ‘Telebots cybergang toolset reminiscent of BlackEnergy 19 October 2017 at the Wayback Machine’, SC Magazine (15 December 2016)
  40. ^ Brandom, Russell (5 July 2017). "Petya ransomware authors demand $250,000 in first public statement since the attack". The Verge. from the original on 6 July 2017. Retrieved 5 July 2017.
  41. ^ Nakashima, Ellen (12 January 2018). "Russian military was behind 'NotPetya' cyberattack in Ukraine, CIA concludes". The Washington Post. from the original on 13 January 2018. Retrieved 15 February 2018.
  42. ^ Marsh, Sarah (15 February 2018). "UK blames Russia for NotPetya cyber-attack last year". The Guardian. from the original on 15 February 2018. Retrieved 15 February 2018.
  43. ^ ‘Virus Petya has hurt more than 1,5 thousand legal entities and individuals 2 July 2017 at the Wayback Machine’, Ukrayinska Pravda (29 June 2017) (in Ukrainian).
  44. ^ ‘"Oschadbank" resume the work of all departments on July 3 19 October 2017 at the Wayback Machine’, Ukrayinska Pravda (1 July 2017) (in Ukrainian).
  45. ^ Voß, Oliver (3 July 2017). "Milka-Fabrik steht seit einer Woche still". Tagesspiegel (in German). from the original on 5 July 2017. Retrieved 5 July 2017.
  46. ^ Customers 'furious' with TNT after cyber-attack meltdown 1 June 2018 at the Wayback Machine, BBC News (9 August 2017)
  47. ^ Auchard, Eric; Stubbs, Jack; Prentice, Alessandra (29 June 2017). "New computer virus spreads from Ukraine to disrupt world business". Reuters. from the original on 28 June 2017. Retrieved 30 June 2017.
  48. ^ Perlroth, Nicole; Scott, Mark; Frenkel, Sheera (27 June 2017). "Cyberattack Hits Ukraine Then Spreads Internationally". The New York Times. from the original on 13 April 2018. Retrieved 6 July 2017.
  49. ^ Henley, Jon; Solon, Olivia (27 June 2017). "'Petya' ransomware attack strikes companies across Europe and US". The Guardian. from the original on 1 May 2021. Retrieved 6 July 2017.
  50. ^ Petroff, Alanna; Larson, Selena (28 June 2017). "Another big malware attack ripples across the world". CNN. from the original on 5 July 2017. Retrieved 6 July 2017.
  51. ^ Massarella, Linda (27 June 2017). "Europe cyberattack also breaches Merck headquarters in US". New York Post. from the original on 5 July 2017. Retrieved 5 July 2017.
  52. ^ a b Perlroth, Nicole (6 July 2017). "Lasting Damage and a Search for Clues in Cyberattack". The New York Times. from the original on 7 July 2017. Retrieved 7 July 2017.
  53. ^ Polityuk, Pavel; Auchard, Eric (29 June 2017). "Global cyber attack likely cover for malware installation in Ukraine: police official". Kiev, Frankfurt: Reuters. from the original on 29 June 2017. Retrieved 30 June 2017.
  54. ^ Geller, Martinne; Sandle, Paul (6 July 2017). "Reckitt Benckiser trims sales forecasts after cyber attack". Reuters. from the original on 6 July 2017. Retrieved 6 July 2017.
  55. ^ Ukraine Is 'Ground Zero' For Hackers In Global Cyberattacks 1 July 2017 at the Wayback Machine, Radio Free Europe (28 June 2017 )
  56. ^ Stoltenberg: NATO to increase aid to Ukraine in field of cyber defense 2 November 2017 at the Wayback Machine, Ukrinform (28 June 2017)
  57. ^ "Statement from the Press Secretary". whitehouse.gov. from the original on 3 February 2021. Retrieved 11 October 2019 – via National Archives.
  58. ^ "Кардаков запропонував створити громадянську кібероборону". lb.ua. 20 July 2017. Retrieved 28 March 2024.

External links edit

  • Greenberg, Andy (20 June 2017). "How An Entire Nation Became Russia's Test Lab for Cyberwar". Wired.

January 01, 1970
2017, ukraine, ransomware, attacks, series, powerful, cyberattacks, using, petya, malware, began, june, 2017, that, swamped, websites, ukrainian, organizations, including, banks, ministries, newspapers, electricity, firms, similar, infections, were, reported, . A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations including banks ministries newspapers and electricity firms 10 Similar infections were reported in France Germany Italy Poland Russia United Kingdom the United States and Australia 3 11 12 ESET estimated on 28 June 2017 that 80 of all infections were in Ukraine with Germany second hardest hit with about 9 2 On 28 June 2017 the Ukrainian government stated that the attack was halted 13 On 30 June 2017 the Associated Press reported experts agreed that Petya was masquerading as ransomware while it was actually designed to cause maximum damage with Ukraine being the main target 14 2017 Ukraine ransomware attacksPetya s ransom note displayed on a compromised systemDate27 28 June 2017 2017 06 27 2017 06 28 Location Ukraine 1 Other locations Russia Germany 2 United States 1 United Kingdom 1 Spain India Poland 1 Italy Israel 1 Belarus 1 Argentina 3 Netherlands 3 Australia 4 TypeCyberattackCauseMalware ransomware cyberterrorismOutcomeAffected several Ukrainian ministries banks metro systems and state owned enterprisesSuspects Russia according to statements of Ukrainian authorities American Michael N Schmitt and the CIA 5 6 7 8 9 For the May 2017 worldwide EternalBlue WannaCry cyberattack see WannaCry ransomware attack Contents 1 Approach 2 Attack 3 Attribution 4 Affected companies 5 Reaction 6 See also 7 References 8 External linksApproach editSecurity experts believe the attack originated from an update of a Ukrainian tax accounting package called MeDoc M E Doc uk developed by Intellect Service 2 MeDoc was widely used among tax accountants in Ukraine 15 and the software was the main option for accounting for other Ukrainian businesses according to Mikko Hypponen a security expert at F Secure 2 MeDoc had about 400 000 customers across Ukraine representing about 90 of the country s domestic firms 8 and prior to the attack was installed on an estimated 1 million computers in Ukraine 16 MeDoc provides periodic updates to its program through an update server On the day of the attack 27 June 2017 an update for MeDoc was pushed out by the update server following which the ransomware attack began to appear British malware expert Marcus Hutchins claimed It looks like the software s automatic update system was compromised and used to download and run malware rather than updates for the software 2 The company that produces MeDoc claimed they had no intentional involvement in the ransomware attack as their computer offices were also affected and they are cooperating with law enforcement to track down the origin 15 17 A similar attack via MeDoc software was carried out on 18 May 2017 with the ransomware XData Hundreds of accounting departments were affected in Ukraine 18 The cyberattack was based on a modified version of the Petya ransomware Like the WannaCry ransomware attack in May 2017 Petya uses the EternalBlue exploit previously discovered in older versions of the Microsoft Windows operating system When Petya is executed it encrypts the Master File Table of the hard drive and forces the computer to restart It then displays a message to the user telling them their files are now encrypted and to send US 300 in bitcoin to one of three wallets to receive instructions to decrypt their computer At the same time the software exploits the Server Message Block protocol in Windows to infect local computers on the same network and any remote computers it can find Additionally the NotPetya software was found to use a variant of Mimikatz a proof of concept exploit found in 2011 that demonstrated that user passwords had been retained in computer memory within Windows exploiting these passwords to help spread across networks 19 The EternalBlue exploit had been previously identified and Microsoft issued patches in March 2017 to shut down the exploit for Windows Vista Windows 7 Windows 8 1 Windows 10 Windows Server 2008 Windows Server 2012 and Windows Server 2016 However the WannaCry attack progressed through many computer systems that still used older Windows operating systems or older versions of the newer ones which still had the exploit or that users had not taken the steps to download the patches Microsoft issued new patches for Windows XP Windows Server 2003 and Windows 8 the day after the WannaCry attack Security expert Lesley Carhart stated that Every method of exploitation that the attack used to spread was preventable by well documented means 20 Security experts found that the version of Petya used in the Ukraine cyberattacks had been modified and consequently was renamed NotPetya or Nyetna to distinguish it from the original malware NotPetya encrypted all of the files on the infected computers not just the Master File Table and in some cases the computer s files were completely wiped or rewritten in a manner that could not be undone through decryption 21 22 Some security experts saw that the software could intercept passwords and perform administrator level actions that could further ruin computer files They also noted that the software could identify specific computer systems and bypass infection of those systems suggesting the attack was more surgical in its goal 20 Unlike the WannaCry software a kill switch was never found in NotPetya which could have been used to immediately stop its spread 23 According to Nicholas Weaver of the University of California the hackers had previously compromised MeDoc made it into a remote control Trojan and then they were willing to burn this asset to launch this attack 8 Attack editFurther information Petya malware During the attack the radiation monitoring system at Ukraine s Chernobyl Nuclear Power Plant went offline 24 Several Ukrainian ministries banks metro systems and state owned enterprises Boryspil International Airport Ukrtelecom Ukrposhta State Savings Bank of Ukraine Ukrainian Railways were affected 25 In the infected computers important computer files were overwritten and thus permanently damaged despite the malware s displayed message to the user indicating that all files could be recovered safely and easily by meeting the attackers demands and making the requested payment in Bitcoin currency 26 The attack has been seen to be more likely aimed at crippling the Ukrainian state rather than for monetary reasons 15 The attack came on the eve of the Ukrainian public holiday Constitution Day celebrating the anniversary of the approval by the Verkhovna Rada Ukraine s parliament of the Constitution of Ukraine on 28 June 1996 27 28 29 Most government offices would be empty allowing the cyberattack to spread without interference 15 In addition some security experts saw the ransomware engage in wiping the affected hard drives rather than encrypting them which would be a further disaster for companies affected by this 15 A short time before the cyberattack began it was reported that a senior intelligence officer and head of a special forces detachment unit of the Ukrainian Chief Directorate of Intelligence colonel Maksym Shapoval was assassinated in Kyiv by a car bomb 30 Former government adviser in Georgia and Moldova Molly K McKew believed this assassination was related to the cyberattack 31 On 28 June 2017 the Ukrainian government stated that the attack was halted The situation is under complete control of the cyber security specialists they are now working to restore the lost data 13 Following the initial 27 June attack security experts found that the code that had infected the M E Doc update had a backdoor that could potentially be used to launch another cyberattack On seeing signs of another cyberattack the Ukrainian police raided the offices of MeDoc on 4 July 2017 and seized their servers MeDoc s CEO stated that they were not aware there had been a backdoor installed on their servers again refuted their involvement in the attack and were working to help authorities identify the source 16 32 Security company ESET found that the backdoor had been installed on MeDoc s updater service as early as 15 May 2017 while experts from Cisco Systems Talos group found evidence of the backdoor as early as April 2017 either situation points to the cyberattack as a thoroughly well planned and well executed operation 33 Ukrainian officials have stated that Intellect Service will face criminal responsibility as they were previously warned about lax security on their servers by anti virus firms prior to these events but did not take steps to prevent it 34 Talos warned that due to the large size of the MeDoc update that contained the NotPetya malware 1 5 gigabytes there may have been other backdoors that they have yet to find and another attack could be possible 33 Attribution editOn 30 June the Security Service of Ukraine SBU reported it had seized the equipment that had been used to launch the cyberattack claiming it to have belonged to Russian agents responsible for launching the attack 35 On 1 July 2017 the SBU claimed that available data showed that the same perpetrators who in Ukraine in December 2016 attacked the financial system transport and energy facilities of Ukraine using TeleBots and BlackEnergy 36 were the same hacking groups who attacked Ukraine on 27 June 2017 This testifies to the involvement of the special services of Russian Federation in this attack it concluded 7 37 A December 2016 cyber attack on a Ukrainian state energy computer caused a power cut in the northern part of the capital Kyiv 7 Russia Ukraine relations are at a frozen state since Russia s 2014 annexation of Crimea followed by a Russian government backed separatist insurgency in eastern Ukraine in which more than 10 000 people had died by late June 2017 7 Russia has repeatedly denied sending troops or military equipment to eastern Ukraine 7 Ukraine claims that hacking Ukrainian state institutions is part of what they describe as a hybrid war by Russia on Ukraine 7 On 30 June 2017 cyber security firm ESET claimed that the Telebots group which they claimed had links to BlackEnergy was behind the attack Prior to the outbreak the Telebots group targeted mainly the financial sector The latest outbreak was directed against businesses in Ukraine but they apparently underestimated the malware s spreading capabilities That s why the malware went out of control 7 ESET had earlier reported that BlackEnergy had been targeting Ukrainian cyber infrastructure since 2014 38 In December 2016 ESET had concluded that TeleBots had evolved from the BlackEnergy hackers and that TeleBots had been using cyberattacks to sabotage the Ukrainian financial sector during the second half of 2016 39 Around the time of 4 July raid on MeDoc the 10 000 in bitcoin already collected in the listed wallets for NotPetya had been collected and experts believed it was used to buy space on the anonymous Tor network One message posted there purportedly from the NotPetya authors demanded 100 000 bitcoin about 2 6 million to halt the attack and decrypt all affected files 16 On 5 July 2017 a second message purportedly from the NotPetya authors was posted in a Tor website demanding those that wish to decrypt their files send 100 bitcoin approximately 250 000 The message was signed with the same private key used by the original Petya ransomware suggesting the same group was responsible for both 40 According to reports cited in January 2018 the United States Central Intelligence Agency claimed Russia was behind the cyberattack with Russia s Main Intelligence Directorate GRU having designed NotPetya 41 Similarly the United Kingdom Ministry of Defence accused Russia in February 2018 of launching the cyberattack that by attacking systems in the Ukraine the cyberattack would spread and affect major systems in the United Kingdom and elsewhere Russia had denied its involvement pointing out that Russian systems were also impacted by the attack 42 Wired technology writer Andy Greenberg in reviewing the history of the cyberattacks said that the attacks came from a Russian military hacker group called Sandworm Greenberg asserted that Sandworm was behind the 2016 blackouts in Kyiv among other events The group had been focusing on hacking into Ukraine s financial sector and sometime in early 2017 had been able to gain access to M E Doc s update servers so that it could be used maliciously to send out the cyberattack in June 2017 19 Affected companies editCompanies affected include Antonov Kyivstar Vodafone Ukraine lifecell TV channels STB ICTV and ATR Kyiv Metro UkrGasVydobuvannya UGV gas stations WOG DTEK EpiCentre K Kyiv International Airport Zhuliany Prominvestbank Ukrsotsbank KredoBank Oshchadbank and others 13 with over 1 500 legal entities and individuals having contacted the National Police of Ukraine to indicate that they had been victimized by 27 June 2017 cyberattack 43 Oshchadbank was again fully functional on 3 July 2017 44 Ukraine s electricity company s computers also went offline due to the attack but the company continued to fully operate without using computers 8 While more than 80 of affected companies were from Ukraine needs update the ransomware also spread to several companies in other geolocations due to those businesses having offices in Ukraine and networking around the globe Non Ukrainian companies reporting incidents related to the attack include food processor Mondelez International 45 the APM Terminals subsidiary of international shipping company A P Moller Maersk the FedEx shipping subsidiary TNT Express in August 2017 its deliveries were still disrupted due to the attack 46 Chinese shipping company COFCO Group French construction materials company Saint Gobain 47 advertising agency WPP plc 48 Heritage Valley Health System of Pittsburgh 49 law firm DLA Piper 50 pharmaceutical company Merck amp Co 51 consumer goods maker Reckitt Benckiser and software provider Nuance Communications 52 A Ukrainian police officer believes that the ransomware attack was designed to go global so as to distract from the directed cyberattack on Ukraine 53 The cost of the cyberattack had yet to be determined as after a week of its initial attack companies were still working to mitigate the damage Reckitt Benckiser lowered its sales estimates by 2 about 130 million for the second quarter primarily due to the attack that affected its global supply chain 52 54 Tom Bossert the Homeland Security adviser to the President of the United States stated that the total damage was over US 10 billion 19 Among estimated damages to specific companies included over US 870 million to Merck US 400 million to FedEx US 384 million to Saint Gobain and US 300 million to Maersk 19 Reaction editSecretary of the National Security and Defence Council of Ukraine Oleksandr Turchynov claimed there were signs of Russian involvement in the 27 June cyberattack although he did not give any direct evidence 55 Russian officials have denied any involvement calling Ukraine s claims unfounded blanket accusations 35 NATO Secretary General Jens Stoltenberg vowed on 28 June 2017 that NATO would continue its support for Ukraine to strengthen its cyber defence 56 The White House Press Secretary released a statement on 15 February 2018 attributing the attack to the Russian military calling it the most destructive and costly cyberattack in history 57 IT businessman chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine 58 See also editDecember 2015 Ukraine power grid cyberattack Russo Ukrainian cyberwarfare Vulkan files leakReferences edit a b c d e f Rothwell James Titcomb James McGoogan Cara 27 June 2017 Petya cyber attack Ransomware spreads across Europe with firms in Ukraine Britain and Spain shut down The Daily Telegraph Archived from the original on 16 February 2018 Retrieved 5 April 2018 a b c d e Tax software blamed for cyber attack spread BBC News 28 June 2017 Archived from the original on 28 June 2017 Retrieved 28 June 2017 a b c Turner Giles Verbyany Volodymyr Kravchenko Stepan 27 June 2017 New Cyberattack Goes Global Hits WPP Rosneft Maersk Bloomberg Archived from the original on 5 November 2019 Retrieved 27 June 2017 Businesses warned again to update patches as Petya ransomware hits Australian offices Financial Review 28 June 2017 Archived from the original on 30 June 2017 Retrieved 3 July 2017 Oleksandr Turchynov One of the mechanisms for spreading a dangerous computer virus was a system for updating the accounting software National Security and Defense Council of Ukraine RNBO Archived from the original on 19 October 2017 Retrieved 30 June 2017 SBU establishes involvement of the RF special services into Petya A virus extorter attack Security Service of Ukraine Archived from the original on 19 October 2017 Retrieved 4 July 2017 a b c d e f g Ukraine points finger at Russian security services in recent cyber attack Reuters 1 July 2017 Archived from the original on 1 July 2017 Retrieved 1 July 2017 a b c d Borys Christian 26 July 2017 Ukraine braces for further cyber attacks BBC News Archived from the original on 26 July 2017 Retrieved 26 July 2017 Russian military was behind NotPetya cyberattack in Ukraine CIA concludes Archived 13 January 2018 at the Wayback Machine Washington Post 2018 Prentice Alessandra 27 June 2017 Ukrainian banks electricity firm hit by fresh cyber attack Reuters Archived from the original on 16 July 2019 Retrieved 27 June 2017 Scott Nicole Perlroth Mark Frenkel Sheera 27 June 2017 Cyberattack Hits Ukraine Then Spreads Internationally The New York Times ISSN 0362 4331 Archived from the original on 13 April 2018 Retrieved 4 July 2017 a href Template Cite news html title Template Cite news cite news a CS1 maint multiple names authors list link Global ransomware attack causes chaos BBC News 27 June 2017 Archived from the original on 27 June 2017 Retrieved 27 June 2017 Burgess Matt There s another worldwide ransomware attack and it s spreading quickly Wired UK Archived from the original on 31 December 2017 Retrieved 27 June 2017 a b c Cyber attack on Ukrainian government and corporate networks halted Archived 11 May 2020 at the Wayback Machine Ukrinform 28 June 2017 Companies still hobbled from fearsome cyberattack Associated Press 30 June 2017 Archived from the original on 19 October 2017 Retrieved 3 July 2017 a b c d e Kramer Andrew 28 June 2017 Ukraine Cyberattack Was Meant to Paralyze not Profit Evidence Shows The New York Times Archived from the original on 29 June 2017 Retrieved 29 June 2017 a b c Satter Raphael 5 July 2017 Ukraine says it foiled 2nd cyberattack after police raid The Washington Post Associated Press Retrieved 5 July 2017 dead link Frenkel Sheera 27 June 2017 Global Ransomware Attack What We Know and Don t Know The New York Times Archived from the original on 27 June 2017 Retrieved 28 June 2017 Krasnomovec Pavel 24 May 2017 Vse chto izvestno pro virus vymogatel XData kto pod ugrozoj i chto delat AIN UA in Russian Archived from the original on 28 June 2017 Retrieved 29 June 2017 a b c d Greenberg Andy 23 August 2018 The Untold Story of NotPetya the Most Devastating Cyberattack in History Wired Archived from the original on 22 August 2018 Retrieved 23 August 2018 a b Borys Christian 4 July 2017 The day a mysterious cyber attack crippled Ukraine BBC Archived from the original on 7 July 2017 Retrieved 8 July 2017 Polityuk Pavel 29 June 2017 Global cyber attack likely cover for malware installation in Ukraine police official Reuters Archived from the original on 29 June 2017 Retrieved 29 June 2017 Petroff Alanna 30 June 2017 Experts Global cyberattack looks more like sabotage than ransomware CNN Archived from the original on 1 July 2017 Retrieved 30 June 2017 Petroff Alanna 28 June 2017 Europol There s no kill switch for malware attack CNN Archived from the original on 19 October 2017 Retrieved 30 June 2017 Griffin Andrew 27 June 2017 Chernobyl s radiation monitoring system has been hit by the worldwide cyber attack The Independent Archived from the original on 18 August 2019 Retrieved 27 June 2017 Dearden Lizzie 27 June 2017 Ukraine cyber attack Chaos as national bank state power provider and airport hit by hackers The Independent Archived from the original on 30 August 2019 Retrieved 27 June 2017 Cyber attack was about data and not money say experts BBC News 29 June 2017 Archived from the original on 29 June 2017 Retrieved 29 June 2017 Tuesday s massive ransomware outbreak was in fact something much worse Ars Technica 28 June 2017 Archived from the original on 17 July 2017 Retrieved 28 June 2017 1996 THE YEAR IN REVIEW Archived 3 March 2016 at the Wayback Machine The Ukrainian Weekly 29 December 1996 Lee David 28 June 2017 Vaccine created for huge cyber attack BBC News Archived from the original on 28 June 2017 Retrieved 28 June 2017 Cyberattack Hits Ukraine Then Spreads Internationally The New York Times 27 June 2017 Archived from the original on 27 June 2017 Retrieved 28 June 2017 Luhn Alec Ukrainian military intelligence officer killed by car bomb in Kiev The Guardian Archived from the original on 13 April 2019 Retrieved 28 June 2017 McKew Molly 27 June 2017 A killing in Kiev shows how the West continues to fail Ukraine The Washington Post Archived from the original on 27 June 2017 Retrieved 28 June 2017 Stubbs Jack 5 July 2017 Ukraine scrambles to contain new cyber threat after NotPetya attack Reuters Archived from the original on 7 July 2017 Retrieved 5 July 2017 a b Goodin Dan 5 July 2017 Backdoor built in to widely used tax app seeded last week s NotPetya outbreak Ars Technica Archived from the original on 8 July 2017 Retrieved 5 July 2017 Satter Raphael 3 July 2017 Official firm at center of cyberattack knew of problems Associated Press Archived from the original on 5 July 2017 Retrieved 7 July 2017 a b Ukraine Says Seized Equipment Used by Russia to Launch Malware Attacks The NY Times Reuters 30 June 2017 Archived from the original on 30 June 2017 Retrieved 30 June 2017 Software BlackEnergy Black Energy ATT amp CK attack mitre org Archived from the original on 19 October 2017 Retrieved 4 July 2017 Ukraine Security Service Blames Russia For Recent Cyberattack Radio Free Europe 1 July 2017 Archived from the original on 1 July 2017 Retrieved 1 July 2017 Russian BlackEnergy malware strikes at Ukrainian media and energy firms Archived 15 March 2017 at the Wayback Machine SC Magazine 4 January 2016 Telebots cybergang toolset reminiscent of BlackEnergy Archived 19 October 2017 at the Wayback Machine SC Magazine 15 December 2016 Brandom Russell 5 July 2017 Petya ransomware authors demand 250 000 in first public statement since the attack The Verge Archived from the original on 6 July 2017 Retrieved 5 July 2017 Nakashima Ellen 12 January 2018 Russian military was behind NotPetya cyberattack in Ukraine CIA concludes The Washington Post Archived from the original on 13 January 2018 Retrieved 15 February 2018 Marsh Sarah 15 February 2018 UK blames Russia for NotPetya cyber attack last year The Guardian Archived from the original on 15 February 2018 Retrieved 15 February 2018 Virus Petya has hurt more than 1 5 thousand legal entities and individuals Archived 2 July 2017 at the Wayback Machine Ukrayinska Pravda 29 June 2017 in Ukrainian Oschadbank resume the work of all departments on July 3 Archived 19 October 2017 at the Wayback Machine Ukrayinska Pravda 1 July 2017 in Ukrainian Voss Oliver 3 July 2017 Milka Fabrik steht seit einer Woche still Tagesspiegel in German Archived from the original on 5 July 2017 Retrieved 5 July 2017 Customers furious with TNT after cyber attack meltdown Archived 1 June 2018 at the Wayback Machine BBC News 9 August 2017 Auchard Eric Stubbs Jack Prentice Alessandra 29 June 2017 New computer virus spreads from Ukraine to disrupt world business Reuters Archived from the original on 28 June 2017 Retrieved 30 June 2017 Perlroth Nicole Scott Mark Frenkel Sheera 27 June 2017 Cyberattack Hits Ukraine Then Spreads Internationally The New York Times Archived from the original on 13 April 2018 Retrieved 6 July 2017 Henley Jon Solon Olivia 27 June 2017 Petya ransomware attack strikes companies across Europe and US The Guardian Archived from the original on 1 May 2021 Retrieved 6 July 2017 Petroff Alanna Larson Selena 28 June 2017 Another big malware attack ripples across the world CNN Archived from the original on 5 July 2017 Retrieved 6 July 2017 Massarella Linda 27 June 2017 Europe cyberattack also breaches Merck headquarters in US New York Post Archived from the original on 5 July 2017 Retrieved 5 July 2017 a b Perlroth Nicole 6 July 2017 Lasting Damage and a Search for Clues in Cyberattack The New York Times Archived from the original on 7 July 2017 Retrieved 7 July 2017 Polityuk Pavel Auchard Eric 29 June 2017 Global cyber attack likely cover for malware installation in Ukraine police official Kiev Frankfurt Reuters Archived from the original on 29 June 2017 Retrieved 30 June 2017 Geller Martinne Sandle Paul 6 July 2017 Reckitt Benckiser trims sales forecasts after cyber attack Reuters Archived from the original on 6 July 2017 Retrieved 6 July 2017 Ukraine Is Ground Zero For Hackers In Global Cyberattacks Archived 1 July 2017 at the Wayback Machine Radio Free Europe 28 June 2017 Stoltenberg NATO to increase aid to Ukraine in field of cyber defense Archived 2 November 2017 at the Wayback Machine Ukrinform 28 June 2017 Statement from the Press Secretary whitehouse gov Archived from the original on 3 February 2021 Retrieved 11 October 2019 via National Archives Kardakov zaproponuvav stvoriti gromadyansku kiberoboronu lb ua 20 July 2017 Retrieved 28 March 2024 External links editGreenberg Andy 20 June 2017 How An Entire Nation Became Russia s Test Lab for Cyberwar Wired Retrieved from https en wikipedia org w index php title 2017 Ukraine ransomware attacks amp oldid 1221223620, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.