Companies that paid the ransom to retrieve their data from the Petya ransomware attack have no way of receiving the encryption key.
Although Symantec has verified the Ukrainian accounting service MeDoc as “patient zero” for the attack, the cybersecurity company hasn’t discovered who is behind the attack. The email account that the attack stemmed from has been shut down, so that companies that pay the ransom of $300 won’t receive the encryption key needed to return their data. As of 7 a.m. ET, the email was still down. However, the hackers can still access the money delivered through bitcoin.
Symantec always recommends that companies refrain from paying the fine when they’re affected by ransomware, because there’s no guarantee that hackers will give up the encryption key and the companies will need to rebuild their systems to protect their data anyway.
“There’s not really another answer,” said Jon DiMaggio, senior threat intelligence analyst for Symantec Security Response, in an interview with MeriTalk.
The new variant of ransomware is stealing credentials from users to possibly infect more high-value systems that have more complex security standards, according to DiMaggio.
“It’s not normal for ransomware to steal credentials,” DiMaggio said.
He said that many theories could stem from this finding but Symantec hasn’t verified whether this is a precursor for another attack.
Symantec has not validated whether any infections in the United States came from the same strand of ransomware. The most affected organizations are located in the United Kingdom and Ukraine, which use the accounting service that began sending out infected updates to its software. The ransom note that appears on infected computers is written in English, which made DiMaggio believe that the attack was meant to target an English-speaking country like the United States.
“It’s just odd to me,” Di Maggio said, “because it was clearly a well-planned operation.”
DiMaggio said that it is possible that the ransomware could reach U.S. organizations.
DiMaggio said one of the biggest problems with affected companies was that they patch their systems too slowly. The companies want to test patches before they install them in order to ensure that none of their applications break because of the new patch.
“The risk is so much greater from getting infected,” DiMaggio said, “than the risk from patching quicker.”
DiMaggio recommended that companies and government organizations use security software, protect endpoints, and analyze the traffic going in and out of their networks. DiMaggio said that companies that use all three methods can be confident that if one method doesn’t work the other two will still keep the networks secure.
The Petya ransomware is similar to the recent WannaCry attack in that it used hacking tools that were stolen by the ShadowBrokers.
“They both piggybacked off that tool but that’s really where the similarities ended,” DiMaggio said.
Researchers found that the window of opportunity for response to the Petya attack is short.
“The malware automatically reboots systems after completing its encryption and propagation routines,” said Ryan Kazanciyan, chief security architect at Tanium, in a blog post Tuesday. “Early research indicates this occurs within an hour post-infection.”
The researchers also noted that the investigation into the most recent attack will continue to evolve.
The difference between the attacks is that the Petya attack encrypted the entire disk rather than just the files on the computers.
“The end result is harder to deal with and harder to fix,” DiMaggio said.