This week's malware attack was something new, or maybe something old -- recycled. Some of the earliest malware, back in the 1990s, was intended to damage hardware. Damaging hardware doesn't have any monetary value, though, and crooks moved on to creating applications they could monetize. Not this time, though.
This isn't the article that I'd intended to have at the top of this week's program, but it barged in and -- as the week went on -- it became more and more important. So let's look at (Not) Petya instead.
If your computer is attacked by the malware that came calling this week, there is probably no recovery. It acts like ransomware initially, but it really intends to destroy your computer by damaging what's called the "master boot record" (MBR) that must be present when the computer starts. With no MBR, your computer won't boot.
Cybereason provides applications that are designed to protect enterprises from ransomware and also offers RansomFree for home users. This is an application that monitors the computer, watches for suspicious activity, and shuts down attempts to encrypt files. It also monitors the computer's master boot record.
This week's attack began in Ukraine and Cybereason's Sam Curry says thousands of companies have been affected around the world.
Cybereason provides a quick summary of how the latest attack works. It's on the company's website. The conclusion: "Causing as much disruption as possible was the attack’s likely goal. On that front, the attack succeeded: offices closed, people were unable to buy food at supermarkets and employees were told not to use their computers."
A free protective application, RansomFree, can be downloaded from the Cybereason site. I recommend it.
This is another attack that was orchestrated using malware developed by the United States National Security Agency. The NSA is not alone and malware is being developed by other nation states and by individuals. We're going to see more of it. The situation is ugly and it's getting worse. Unfortunately, that's the perfect lead in to the second item on this week's program.
The US electric grid is struggling and most of us encounter at least occasional power outages. Depending on where you live, the outages may be more frequent. At my house, for example, we had power outages ranging from a few minutes to a few hours several times a month. Houses across the street, on another power branch, rarely experienced outages and enough complaints to enough people finally resulted in improvement.
So you might be in an area that generally has solid service or you might be in an area that loses power anytime a squirrel sneezes. Either way, we're all at risk of more substantial outages -- ones that might not be easy to fix.
Half way around the world, in December 2016, tens of thousands of people in Ukraine suddenly had their power shut off. But it wasn't a storm, a problem at a generating station, or faulty equipment. Hackers -- believed to be in Russia -- used malware to shut down Ukraine's power system.
The hackers had used malware called CrashOverride to shut the system down and, although Russia is considered to be the most likely source, it isn't clear whether the was a government sponsored operation, Russian hackers hired by the government, or some other players entirely.
Security firm Dragos has published a report with some highly troubling observations. The report says "Dragos, Inc. was notified by the Slovak anti-virus firm ESET of an ICS tailored malware on June 8th, 2017. The Dragos team was able to use this notification to find samples of the malware, identify new functionality and impact scenarios, and confirm that this was the malware employed in the December 17th, 2016 cyber-attack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. This report serves as an industry report to inform the electric sector and security community of the potential implications of this malware and the appropriate details to have a nuanced discussion."
CrashOverride is the fourth piece of malware known to attack industrial control systems (ICS). StuxNet, believed to have been developed jointly by the United States and Israel was used against Iran. Black Energy 2 was used in 2015, possibly by Russia, in Ukraine. And Dragonfly (also called HavEx) was seen starting in 2014 when it was found in software distributed by manufacturers of industrial control systems.
Industrial control systems are what make minute-to-minute decisions about the nation's electric grid. Power consumption and power production must be closely matched to avoid damage to the system and attacking the grid's ICS could shut the system down and do enough damage to make recovery take a long time.
CrashOverride isn't linked to any one vendor's ICS so it can be used to target any electrical grid. It can be re-purposed to attack systems anywhere in the world.
According to the Dragos report, "CrashOverride could be leveraged at multiple sites simultaneously, but the scenario is not cataclysmic and would result in hours, potentially a few days, of outages, not weeks or more."
Industrial control systems are key to nearly everything we do. Gas and oil pipelines, factories and warehouses, urban transit systems, airlines, and the internet.
CrashOverride is a sophisticated piece of software that is not designed to steal information, but only to disrupt industrial control systems. Dragos has made its long and detailed report publicly available on their website.
Pleasant dreams.
We seem to be standing at the base of a mountain, watching an avalanche start near the top. We know what's going to happen, but we're powerless to stop it. No, this isn't a story about climate change. It's about malware.
Ukraine seems to be the testing ground for all types of malware and the latest attacks have spread throughout Europe, Asia, the Pacific, and the Americas. The attack appeared to be another version of WannaCry, which was based on malware developed by the US National Security Agency. But it it turned out to be more than that.
Several security experts have suggested that the ransomware might be a red herring intended to pull our attention away from something going on in the background. There's no indication that there is more, but someone who wants to install destructive applications for use later might well use something like a ransomware attack to hide what's going on.
Ukraine probably received the worst of the attack. The former Soviet republic has been the target of several Russian attacks in the past and this could be another test.
In the previous WannaCry attack, the malware was poorly designed and investigators quickly identified a way to keep the infection from spreading. That deficiency has been remedied in the current version, which also steals a user's credentials. That's one of the reasons that some investigators believe yet another wave is coming.
The Ukrainian government was quick to blame Russia, but the attack also crippled Russian energy company Rosneft and Home Credit Bank, one of Russia's largest banks.
This attack seemed initially to have used a malicious application called Petya, which is available for purchase as a service on the dark web -- sites that are not visible on the normal public web and are accessible only with the Tor web browser. As noted in this week's top article, it was really something much worse.The malware had been quietly spreading to computers around the world since late in the previous week when it activated on Tuesday.
One of the primary protections, other than being extremely careful about clicking links and being attuned to signs of danger, is keeping the operating system and the applications on the computer up to date.
When the WannaCry malware caused major disruptions at medical facilities in England, the director of Europol, Rob Wainright, was outspoken on the subject of updates. It's frustrating, he said, because there had been other similar attacks in Europe and in the Unites States starting two years before WannaCry hit.
Some security experts say the real problem is broken update systems and procedures. The BBC quoted vice-president of cyber-security at Masergy Communications, an IT services firm, David Venable, who said that computer updates aren't rocket science. "It's an oil change," he said. Venable is a former intelligence officer with the US National Security Agency.
He cited some challenges such as companies continuing to use operating systems when security updates were no longer available and the problems of rolling out large updates to millions of users. "But these aren't new challenges," he said. "Anyone running these networks should have had this solved long before now."
But there is one more thing you can do to protect yourself, your data, and your computer from all types of malware. It's something you should be doing on a daily basis and it's not even difficult. Backup is the backstop, the final bit of protection that stands between your data and your data being gone. There are on-line services that provide backup, several types of backup applications, and automated systems that can make the process painless.
Certainly a lot more painless than losing critical files. If the worst does happen, a good backup will allow you to format the computer's hard drive, reinstall the operating system, and restore your applications and files. As annoying as that it, it's a lot better than the alternative.
