NotPetya ransomware: White House joins UK in blaming Russia for NotPetya cyberattack

A padlock laid on top of a circuit board.

The US White House joined the UK in blaming Russia for the malicious NotPetya ransomware attack on Ukraine that crippled parts of the country's infrastructure before spreading globally last year.

The White House's Press Secretary Sarah Sanders said the attack, launched in June 2017 by the Russian military, "spread worldwide, causing billions of dollars in damage across Europe, Asia and the Americas", according to Reuters.

"It was part of the Kremlin's ongoing effort to destabilise Ukraine and demonstrates ever more clearly Russia's involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber attack that will be met with international consequences," Sanders added.

The White House's statement is the first time the US has blamed Russia for what is considered one of the worst cyber attacks ever recorded, while many other security experts had pointed the finger at Moscow months ago. It comes just days after US intelligence agency leaders warned that Russia is likely to try and use cyber attacks as a means to meddle in the US midterm elections in November.

A senior White House official added that the US government is now "reviewing a range of options" in how to respond to the findings.

The NotPetya attack, as with the WannaCry attack which also caused major damage last year, demonstrated the need for organisations to be vigilant, keep their systems updated and incorporate a visibility-based security posture.

"Companies need greater visibility into their networks to detect and remediate incidents and malware attacks," said security architect at Gigamon, Simon Gibson, at the time. "The inability to investigate and detect the spread of the attack across computer networks is greatly impacting critical infrastructures."

He warned that organisations need to ensure they have complete visibility over their networks so that they can assess vulnerabilities and detect outdated SMB running on a network.

"To build better defenses, a visibility platform enables better detection and remediation from security tools. Organisations need to be able to get the right information to the right security tools so they can better detect and rapidly respond to ransomware attacks," noted Gibson.

15/02/2018: UK publicly blames Russia for NotPetya ransomware campaign

The UK Foreign Office has publicly blamed Russia for the NotPetya ransomware attack that infected companies and public services across Europe and the US last summer.

The ransomware first emerged in June when Ukrainian banks, government facilities and corporate systems were hit by a coordinated cyber attack, only for it then to spread to sites in Germany, Italy, Poland, the UK, the US, and Russia.

The UK now believes that the Russian military was responsible for the attack, adding that it would not tolerate such malicious cyber activity.

UK-based Reckitt Benckiser, which produces brands such as Dettol and Durex, was hit by the ransomware in late June, and has estimated a 100 million loss as a result of system downtime and disrupted manufacturing output.

Courier service TNT was also locked out of its systems during the campaign, with sources inside the company revealing to the Guardian at the time that a "significant portion" of operations were having to be handled manually.

"The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017," said Foreign Office minister Lord Ahmad. "The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds."

"The Kremlin has positioned Russia in direct opposition to the West yet it doesn't have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then (sic) secretly trying to undermine it."

Research by the National Cyber Security Centre concluded that the Russian military was "almost certainly responsible" for the ransomware attack, which was enough for the UK to publicly blame its government.

The attacks were largely seen as being politically motivated, having started on the eve of Ukraine's Constitution Day. As such, Ukraine was quick to publicly blame Russia for the attacks and claimed its internal security service, the SBU, obtained evidence that the ransomware attack was deliberately designed to look like a global virus while specifically targeting Ukrainian systems.

Russia has always denied responsibility for the ransomware and has pointed to the fact that Russian systems were also targeted in the attack.

The attack was initially thought to have used the Petya malware, which first emerged in 2016, however, analysis of the strain found it to be an entirely different family that had been designed to spread far more quickly between targets.

Kaspersky Lab believes around 2,000 attacks were launched using the malware, with as much as 80% of these being in Ukraine or Russia.

Defence secretary Gavin Williamson described the attacks as being part of a "new era of warfare" that Britain needed to be ready to respond to.

"Russia is ripping up the rulebook by undermining democracy, wrecking livelihoods by targeting critical infrastructure and weaponising information." said Williamson, in a statement to the press. "We must be primed and ready to tackle these stark and intensifying threats."

Parliament's Intelligence and Security Committee revealed in November that it was considering launching an investigation into Russian activity against the UK, including allegations of Russian meddling during the Brexit referendum.

25/07/2017: TNT customers experience delivery delays after cyber attack

TNT is reportedly still suffering from the effects of the NotPetya cyber attack last month, with customers being told that parcels are "going up to the ceiling" at some delivery centres.

The FedEx-owned shipping firm was one of thousands of businesses affected by the ransomware attack in June, which left computer systems crippled and many customers facing severe delays in receiving parcels.

In a statement released on 17 July, FedEx said that TNT systems had been compromised after an initial infection of its Ukraine operations had spread throughout its network. FedEx also said that all TNT depots, hubs and facilities had since resumed normal service, although a "significant portion of TNT operations and customer service functions" were being handled manually.

"We cannot yet estimate how long it will take to restore the systems that were impacted, and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus," added FedEx.

A week later, it appears that the company is still struggling to deal with the backlog of deliveries, as customers have now been told by TNT staff that consignments are "going up to the ceiling" at its East Midlands hub, according to the Guardian.

"TNT tell me they have had no computer systems since the end of June and there is no estimate for when their systems will be fixed," said TNT customer Peter Blohm, speaking to the Guardian.

"This means there are many thousands of parcels which have like mine been waiting for weeks to be processed by hand with pen and paper. The staff sound harassed, but cannot estimate when my parcel will be delivered, because they simply do not know."

A TNT spokesperson declined to comment on these reports when contacted by IT Pro, adding that there were no further updates from the statement released last week.

FedEx, which agreed to buy TNT in 2015, said it was still trying to establish the financial impact of NotPetya, admitting that it did not have adequate insurance policies in place to cover an attack of this kind.

"Although we cannot currently quantify the amounts, we have experienced loss of revenue due to decreased volumes at TNT and incremental costs associated with the implementation of contingency plans and the remediation of affected systems," said FedEx.

A recent report by Lloyd's of London said that a major global cyber attack could cost the world economy 40 billion, but because companies are 'underinsuring' their systems, as much as 34 billion of that may not be covered.

10/07/2017: Germany's federal cyber agency said that the threat posed to firms by the Petya ransomware was greater than expected, warning that data backups carried out since April should be considered compromised.

The BSI (Federal Office for Information Security) said in a statement that computer experts had discovered the waves of attacks had been launched via software updates of the MeDoc accounting software dating back to April, as reported by Reuters.

Companies using this software may have been infected even if there were no obvious signs of a breach, the BSI added, with any data backups carried out after 13 April potentially an issue.

BSI president Arne Schoenbohm said: "Some German firms have seen production and other critical processes laid still for over a week." He added: "It has resulted in millions of euros of damage, and this in a case where Germany got off lightly."

Schoenbohm stated that the attacks were at least as harmful as the WannaCry ransomware attacks from May.

The agency has urged German companies to separate networks which had the MeDoc software installed, to increase network surveillance and to look out for any signs of compromise. It also underlined the importance of changing passwords and updating software for all infected networks.

Police last week seized servers from which they believe the ransomware attack originated. They belong to the Ukrainian software firm that created MeDoc, though the company disputes whether its software carried Petya.

"We studied and analysed our product for signs of hacking," Intellect Service's managing partner Olesya Linnik said in an interview with Reuters. "It is not infected with a virus and everything is fine, it is safe".

"The update package, which was sent out long before the virus was spread," she said, "we checked it 100 times and everything is fine."

See more

Police launched an operation on Intellect Service, publisher of Ukraine's popular accounting software, MeDoc. The servers were seized and the police warned the company and its employees may face criminal charges over the attack.

German security officials are still investigating the origin of the attack and do not have evidence to confirm the claim by the Ukrainian government that Russia was behind it.

06/07/2017: Nurofen and Dettol maker estimates 100m loss from Petya

Reckitt Benckiser, the maker of Nurofen painkillers, said it estimates a 100m loss in revenue as a result of the Petya ransomware attack.

The company, which also manufactures Durex condoms and Dettol cleaning products, said the attack on 27 June affected a number of its production plants, preventing the company from fulfilling orders.

"Consequently, we were unable to ship and invoice some orders to customers prior to the close of the quarter," the UK-based company said a widely reported statement. "Some of our factories are currently still not operating normally but plans are in place to return to full operation."

"We expect that some of the revenue lost from the second quarter will be recovered in the third quarter," the company added. "However, the continued production difficulties in some factories mean that we also expect to lose some further revenue permanently."

While the ransom demand was only $300, the news demonstrates the wider ranging impact that a malware attack can have on a company's systems - in this case, a catastrophic failure of a supply network.

Shares in the company fell as much as 3% following today's news, and are still 1.5% down at the time of writing. Reckitt said it's still assessing the long-term financial impact of the attack.

Reckitt Benckiser, which is headquartered in Slough, employs around 37,000 people through operations in more than 60 countries, although its products are available in over 200. It also counts Harpic, Cilit Bang, Strepsils and Clearasil among the brands it currently manufactures and recently acquired US-based children's formula maker Mead Johnson for $16.6 billion.

Some of the world's largest companies were hit by the attack, including Russian oil giant Rosneft, international shipping firm Maersk, and a number of Ukrainian banks.

05/07/2017: Ukraine cyber police seizes suspected Petya servers

Servers linked to the global spread of the Petya ransomware outbreak have been seized by the Ukrainian police's cybercrime division, after the malware was traced back to a small Ukrainian software firm.

Police swooped on the small family-run business Intellect Service, publisher of Ukraine's popular accounting software, MeDoc. Seizing the firm's servers, police warned that the company and its employees may face criminal charges over the attack.

While Intellect Service is not accused of being the architects behind the ransomware outbreak, experts have pointed to the company as being 'patient zero', acting as the source of the epidemic.

The authors of the ransomware likely hacked Intellect Service and used MeDoc's automatic update feature in order to spread the infection, according to multiple security firms and malware researchers.

However, some suggest the malware MeDoc allegedly spread wasn't Petya, but a similar variation upon it, designed to destroy Ukraine organisations' data.

The head of Ukraine's cybercrime unit, Colonel Serhiy Demydiuk stated that Intellect Service was warned multiple times by security experts that their IT systems were at risk of a security breach.

"They knew about it," he told the Associated Press. "They were told many times by various antivirus firms... For this neglect, the people in this case will face criminal responsibility."

"We have issues with the company's leadership, because they knew there was a virus in their software but didn't do anything," Demydiuk told Reuters.

"We studied and analysed our product for signs of hacking," Intellect Service's managing partner Olesya Linnik said in an interview with Reuters. "It is not infected with a virus and everything is fine, it is safe".

"The update package, which was sent out long before the virus was spread," she said, "we checked it 100 times and everything is fine."

"Cyberpolice Department strongly recommends all users at the time of the investigation, to stop using the software "MEDoc" and turn off the computer on which it is installed on the network," Ukraine's Cyberpolice unit said in a statement. "You must also change their passwords and electronic digital signatures, due to the fact that these data could be compromised.

03/07/2017: Ukraine blames Russian security forces for Petya ransomware

Ukraine claimed that the Russian security services were behind the Petya cyber attack which affected businesses worldwide last week.

Ukraine's security service, the SBU, has linked Petya to the December 2016 cyber attack in Ukraine where the power grid was downed and affected roughly 700,000 homes. The SBU has obtained data from various international anti-virus companies which links the two attacks.

The security service also stated that the attack was designed to creat the impression of a ransomware virus, but was an attack specifically targeted at Ukraine. The SBU said: "In fact, the virus is a cover of [a] large-scale attack, oriented against Ukraine."

It said the main target of the virus was to destroy important data and create disorder in Ukraine in order to spread panic.

According to Reuters, various cyber security researchers have suggested Moscow was not behind the attack as some major Russian firms were affected by the ransomware. Moscow has also denied any involvement, which a Kremlin spokesperson dismissed as "unfounded blanket accusations".

The cyberattack, which has various names including Petya and NotPetya, locked down corporate computers in Europe and the US last week. It demanded $300 in Bitcoin payment for a user to unlock their files, but the attackers' email account was shut down meaning victims probably won't get their data decrypted. A number of experts have said that the attack was deliberately malicious and spread fast to cause damage using the cover of ransomware.