Just when we thought we had seen the back of ‘WannaCry’, on 28 June 2017 news broke of yet another large scale ransomware outbreak spreading its way across networks throughout the globe. Although it is early days, this is what has been reported so far:

  • The ransomware, known as ‘Petya’, was first reported in Ukraine before spreading across Europe, the US, and the rest of the globe. A number of organisations appear to be impacted including government agencies, major banks, utilities, shipping and logistics firms, food manufacturers, hospitals, airports, and a (decommissioned) nuclear power plant. It appears that three organisations in Australia have also been impacted including a global law firm and confectionary company.
  • Similar to ‘WannaCry’, ‘Petya’ exploits a known vulnerability in Microsoft Windows, allowing it to spread relatively easily throughout a network. Although the ‘Petya’ malware has been in existence since 2016, it is reported that this is a more advanced strain with developed capabilities to overwrite and encrypt the master boot record, causing files to be encrypted upon rebooting.
  • Once a machine is infected, a ransomware note appears on screen demanding bitcoin payment be made in the amount of USD300 in return for a decryption key. Serious consideration should be given before paying the ransom demand. It is reported that the email address used by the organisation behind the attack has been blocked meaning that it is unlikely that the decryption key will be provided. It remains to be seen whether updated payment instructions will be issued.

Immediate steps organisations should be taking now

In the short term, the Australian Cyber Security Centre has recommended that organisations take a number of steps including:

  • Patch/update systems immediately, including Microsoft operating systems. More information is available here.
  • Back-up critical data locally or through an offsite provider. More information is available here.
  • Ensure antivirus software is up-to-date.

At the same time, we recommend that organisations should instruct its employees to remain vigilant for phishing emails and take the following steps:

  • Do not open any email attachments or links from unknown or unexpected sources. Check any suspicious emails (such as the sender’s details) to ensure its authenticity.
  • If in any doubt, delete the email and notify internally as appropriate.

To guard against future malware attacks, the Australian Signals Directorate recommends organisations adopt the Essential Eight framework.

If your organisation has been impacted, we recommend you immediately contact your internal IT function or external service provider. You can also report the incident to ACORN or CERT Australia who is currently working with affected Australian organisations. If you have cyber insurance in place, we also recommend you contact your broker to notify your insurer of the incident.

Why this incident is ‘just another day in the office’

Despite ‘Petya’ shaping up to be a significant incident and one which will no doubt occupy headlines for the next few weeks, ransomware attacks are hardly new. Globally, ransomware campaigns have increased in frequency with new forms of malware continuously being detected.

Australian organisations are not immune to this risk. The 2015 ACSC Cyber Security Survey identified ransomware as the most common cyber threat, having affected every sector surveyed, and the 2016 ACSC Threat Report continued to identify ransomware as a predominate cybercrime threat. Further, the ACCC ScamWatch Index recorded an increase in ransomware and malware incidents from 4,439 in 2015 to 6,210 in 2016. Already there are 2,573 reported incidents in 2017. And these are just the reported incidents.

As this incident demonstrates, cyber risk impacts all organisations irrespective of the industry in which they operate. Although globally networked organisations appear to be the hardest hit in this instance, in our experience, small to medium sized organisations are also particularly vulnerable to ransomware attacks and their effect. This is because, putting aside the financial crime element of ransom demands, arguably the biggest risk posed by ransomware is operational risk. Restoring data takes time and downtime means lost productivity. Even with recent backups in place there is always a risk of permanent data loss. There is also a potential for data exfiltration and while this risk may be low, its impact is high and should not be overlooked. A public relations risk also exists with any incident.

We recommend that all organisations consider obtaining cyber insurance. In a ransomware event, cover would typically be available for the ransom demand, business interruption losses and costs incurred in engaging external service providers to restore data and provide legal advice. Cyber insurers may also provide organisations with access to an expert panel of IT/Forensic/Legal service providers who can provide timely assistance and ensure appropriate steps are taken to respond to and recover from incidents such as this.