MOSCOW (Sputnik) — The ExPetr attack happened last Tuesday, with some major businesses affected across the globe. The ransomware locked access to the data on a computer and asked for $300 in bitcoins to unlock the files. To date, there have been no successful examples of decryption.
"Could it happen again? Certainly, it could … So although it was using some of the NSA [US National Security Agency] exploits such as 'Eternal Blue and 'Eternal Romance,' it was also spreading through these WMI [Windows Management Instrumentation] … which is why it was much more effective than perhaps people would have realized. And certainly these techniques will continue to be useful by malware authors who will attempt to mimic the success of this attack," Matthew Hickey, co-founder and director of Hacker House, a firm that provides cybersecurity solutions for businesses, said.
"Eternal Blue" and "Eternal Romance" are cyber-exploits that take advantage of Windows system vulnerabilities. The cyber security community widely believes that these exploits were developed by the NSA. However, the agency hasn’t publicly commented on the situation. In April, the exploits were leaked online by a group called the Shadow Brokers.
"Eternal Blue" and "Eternal Romance" were first used in the attack dubbed "WannaCry" that hit over 230,000 computers across the globe in May. It should be noted that Microsoft actually released a patch for this hole in the system two months prior to the attack, in March, but as many businesses simply put off installing the fix, their computers were still vulnerable to the attack and thus got infected.
Jakub Kroustek, malware researcher at Avast, also thinks that attacks similar to those that happened in the last two months could take place at some point in the future.
"It is highly likely that we will see more and more wormlike ransomware strains, especially given that WannaCry and Petna [ExPetr] have confirmed this concept to be viable," he explained.
Nature of the Attack
Researchers seem to have different opinions about the classification of ExPetr.
Last week, Comae Technologies founder Matt Suiche told Sputnik that ExPetr should rather be seen as a wiper, and not ransomware, as it didn’t just lock the information, but actually damaged it.
Hickey said that indeed the program caused the damage to the system, but adds that it could have been just a mistake on the part of the threat actors.
"There were bugs and errors in that code. It’s not clear whether it was the intention to destroy data or if it was just badly written. The fact that it’s wiping, and has bugs in its code, certainly does land its credibility to either being intentionally designed to damage the system or it just shows that they just rushed to get it out and [had] not finished developing it correctly," he explained.
ExPetr is a piece of malware that encrypts the hard drive of the computer, locking access to the files stored on the device. It asks a user for a ransom, but according to a report by Kasperky Lab, it is built in a way that even if users transfer the threat actors the money, the chances to decrypt the files are close to none. ExPetr hit over 2000 targets all over the world. Affected companies launched investigations into the breach of security but the scope of the damage caused by the malware is yet to be determined, as evaluations are still underway.
Don`t Panic, Prepare
Cybersecurity companies say that they are improving their anti-virus programs to be better able to confront malware like ExPetr and WannaCry, but they warn that responsibility to protect the data also lies with users themselves.
"Companies can work with organizations like us, to understand, what the risks are for their organizations by doing simulation attacks where they intentionally expose their systems to risks to understand where they are broken so they can build better defenses," Hickey said.
He noted that there’s no reason for panic, as personal users are less likely to be affected, but added that all users should update their anti-virus products.
This position is echoed by the team at Avast, warning personal users as well as businesses that it’s better to prepare for the attack than to deal with its fallout.