Petya attack: Maersk partially recovers, taking pressure off ports of Auckland and Tauranga

A Maersk ship in port at Tauranga
Symantec cyber security strategy manager Nick Savvides says it is "absolutely critical" to keep your computer updated

Symantec cyber security strategy manager Nick Savvides on Petya and how to protect yourself from malware attack

0
0:00 0:10

Would you pay a $US400 cyber ransom?

Yes
31%
No
69%
Total votes: 376
POTadd to my Stocks
$
100.000%
Volume:

UPDATE 2pm Friday: Maersk says it has partially restored its global logistics system following the Petya malware attack that started Wednesday NZ time. 

In a statement emailed to NBR at midday NZ time, the company said, "We are pleased to let you know that Maersk Line is open for business as we are again able to accept bookings via INTTRA. Our vessels are sailing and loading cargo. Some restrictions remain as not all systems are up and running but we are collaborating with cyber-crime agencies and IT industry leaders to reinstate services fully."

The Maersk update was sent via a Hotmail address – an indication that things aren't 100% hunky dory.

Spokespeople for the ports of Auckland and Tauranga could not immediately comment on what degree of access had been restored to Maersk's system for digitised load lists and instruction for cargo release. But both said operations were running to schedule. In the Ports of Auckland's case, it has only had one ship, with a limited number of Maersk containers in dock. 

Tauranga has managed to use old-school methods to manage the unloading of the 9650-container Svendborg Maersk yesterday, while the 4041-container Leda Maersk is to unload today.

Meanwhile, there are still no reports of Petya attacks in New Zealand, says Rob Pope, director of govenermnet cyber-security agency Cert (Maersk's global operations were affected after its servers in Europe were compromised).

Increasingly, the malware looks like a politically-motivated attack on the Ukraine, as opposed to the for-profit WannaCry that targeted companies worthwhile. Maersk and others affected appear to be collateral damage.

Petya attack: Port of Tauranga switches to manual systems to unload Maersk ship
UPDATE Thursday 11am
: The Port of Tauranga has been forced to switch to manual systems to unload two Maersk vessels after a Petya malware infection saw the shipping giant take its global logistics system offline after its computers in Europe were compromised.

However, commercial manager Leonard Sampson says there have not been any delays or downtime.

The 9650-container Svendborg Maersk was unloaded yesterday, while the 4041-container Leda Maersk is in port today.

"We are exchanging critical information with Maersk via an alternative email system," he says, referencing the shipping company's switch to Gmail and old-school pen and paper.

“At this point, it is business as usual at the port and no disruption is expected," Mr Sampson says.

Meanwhile, the head of the government's Computer Emergency Response Team, Rob Pope, says that around 36 hours into Petya attack, there are still no reports of local infections.

Mr Pope warns anyone who does get hit by Petya that they will have zero chance of getting their files back if they pay the $US300 ransom.

That's because Petya (also known as NotPetya) has now been revealed as a "wiper" rather than ransomware. After infecting a computer, it wipes its master boot record, destroying files so there is no possibility they can be returned.

Another difference with the earlier WannaCry attack is that an email address to contact the attackers for payment was disabled early on — and the hijackers seem to have no interest in providing alternative channels of communication (as is usual with ransomware).

The purely destructive nature of Petya seems to relate to the fact it seems to have been targetted at infrastructure operators in the Ukraine (although it has subsequently spread to Europe and elsewhere).

Tech commentator Bill Bennett speculates that could mean a state actor is behind the attack — namely, Russia — rather than show-off or hackers or organised crime.

Petya threatens Port of Tauranga
UPDATE Wednesday 6.15pm: 
Shipping giant Maersk has confirmed its global operations software have been hit by the Petya ransomware attack.

Ports of Auckland spokesman Matt Ball says the Danish company has had to shut down its entire system to prevent further exposure.

"Until this is resolved, Maersk has no means of receiving load lists, discharge lists or instructions for cargo release. They have even closed down their email servers and are communicating via Gmail," Mr Balll tells NBR.

So far, Maersk's problems have not had any impact on the port's operations — simply because there are no Maersk ships being unloaded.

But that will change on Friday when a container ship from Hamburg Sud, carrying Maersk containers, is due to arrive in Auckland, its first stop before the Port of Tauranga, which is now the main local Maersk port (Hamburg Sud was bought by Maersk in April, but the deal is still being finalised and their systems have yet to be integrated).

And on Sunday a Maersk vessel is due in Auckland.

Cert warns against new ransomware attack called Petya
Wednesday 9am: Crown cyber-security agency the Computer Emergency Response Team (Cert) is warning that a new ransomware threat is sweeping the globe.

It says so far there have been no reported local attacks.

Like the recent WannaCry, Petya — back in a new form after previous attacks — targets computers running older versions of Windows by exploiting the "Eternal Blue" vulnerability in Microsoft Small Business Server.

It encrypts files on a PC, displaying a flashing red-and-white skull and crossbones before a demand for $US300 to free them.

The Petya attack began in the Ukraine earlier today, where there are reports of the postal service, a telco and other organisations being hit. It then spread to Europe, where Danish shipping giant Maersk was among those infected, according to the New York Times. There are now reports of attacks in the US. And ABC News says a Cadbury chocolate factory in Hobart has been hit.

NZ Cert is advising organisations running Windows XP through to Windows 2008 R2 and Small Business Server to install the security patch released by Microsoft at the time of the WannaCry attack (it's on Microsoft's website here).

More broadly, the advice from security professionals remains the same: Make sure you’re using the most up-to-date versions of all your software – not just your security software. Don’t click on suspicious links or email attachments (which are not used to spread Petya but it’s good practice). And make sure you have backups and test them.

Petya flashes a white-and-red skull & crossbones on an infected PC before demanding a ransom of $US300 be paid in bitcoin.

The creators of WannaCry were never caught. Symantec cyber security strategy manager Nick Savvides says his company has found evidence linking the attack to the Lazarus Group, a criminal enterprise with ties to the North Korean government.

But whether perpetrators are caught or not, he says get ready for more ransomware attacks, which he describes as "the new normal."

Should you pay a ransom?
Cert NZ, Netsafe and the police recommend not paying a cyber-ransom. They say it only encourages more crime, and there's no guarantee you'll get your files back.

Contrarian lawyer and intellectual property expert Michael Wigley says victims should consider paying up. Files are often returned, and the amount of money is low if they're not. When dealing with real-world pressures, including their duty of care to retrieve client files, companies need to be pragmatic, he says.

Cert was recently created by the government to monitor cyber threats and help co-ordinate a response. It won't help you get rid of malicious software, but if you're infected by ransomware, it can point you in the right direction to find help, or to the appropriate law enforcement contacts.


32 · Got a question about this story? Leave it in Comments & Questions below.


This article is tagged with the following keywords. Find out more about MyNBR Tags

Post Comment

32 Comments & Questions

Commenter icon key: Subscriber Verified

Recently we had quite a few phone calls from persons claiming that they are from windows speaking in 'Indian ' accent asking for the number of devices in our home. On confronting them phone calls from them were cut off. Quite strange but interesting and alarming!!

Reply
Share
  • 0
  • 0

The long-standing Microsoft phone call scam has got fresh legs with the recent ransomware outbreaks.

In a recent warning from Microsoft NZ and Netsafe, Microsoft NZ Marketing and Operations Director Frazer Scott said the key message Microsoft wants to make clear once again to New Zealand internet users is that the company will never call them asking for remote access to their computer.

“Microsoft DOES NOT call customers at home saying that we have detected a problem with their computer, and we will NEVER ask for passwords or other private details in any forum,” Scott said.

NetSafe head Martin Cocker said his organisation's advice to people who receive suspect calls is to hang up immediately.

“If you have given someone remote access to your device you should immediately end the session and contact Netsafe. If you have given any bank details to a caller, then contact your bank as soon as possible to advise them of the possible fraud.”

Reply
Share
  • 0
  • 0

The mystery is why the perps are asking for such small amounts of ransom? Doesn't seem to be about the money.

Reply
Share
  • 0
  • 0

Because you just pay it. It's not worth engaging someone to fix or fight.

Reply
Share
  • 1
  • 0

Yup, that was experts' take during the WannaCry attack. People would be more likely to just pay it. A report by Telstra says 60% of companies across the ditch pay up when hit by ransomware.

Reply
Share
  • 1
  • 0

Yup, that was experts' take during the WannaCry attack. People would be more likely to just pay it. A report by Telstra says 60% of companies across the ditch pay up when hit by ransomware.

Reply
Share
  • 0
  • 0

Maybe the real criminal gains are being made in "put" and "call" options on Maersk's stock (or other expected to be compromised stocks) ?

Reply
Share
  • 1
  • 0

Yes, Aaron, that could be it perhaps - I wonder if the various securities agencies are looking at movements in the stocks concerned?

I understand Chris's explanation, but these ransoms are minute compared to the firms ($10k would be the level I'd set for Maersk on that reasoning, to still maximise the profit from the attack).

Not, ahem, that I'm in a position to, obviously :)

Reply
Share
  • 0
  • 0

You are right to question the fact the amounts requested don't add up. The Wannacry attack is estimated to have made only about $50k of bitcoin, pittance for an attack of that scale, this one is similar.
Most of what I have read questions the resilience of the payment channel. The email address the attackers used was taken down within days of the attack meaning the ability to collect the money wasn't really the point. If you are going to do something like this you would want to maximise your ability to collect the proceeds.
Add to this the fact that Ukraine was a key target and suffered the most from the Petya attack including having the Chernobyl radiation monitoring software knocked out , Russian companies that suffered as part of the attack were quickly able to restore their systems and the use of ransomware as a cover for the attack provides plausible deniability and it doesn't take much of a leap to understand where this came from and what the attackers true motivations were.

Reply
Share
  • 0
  • 0

So, political? By governments or private-ideological groups?

Reply
Share
  • 0
  • 0

Would running a virtual environment on your PC be sufficient to thwart these ransomware attacks?

Reply
Share
  • 0
  • 0

Not on its own. At best you might find it faster to restore your virtual computer to a working condition.

A properly set up network and systems can help prevent this kind of thing, but there is no one silver bullet that can protect.

Reply
Share
  • 0
  • 0

AP Moller - Maersk delivered an underlying profit of USD 711m in 2016,

Chris - Is there any indication that even if you pay your systems are not unlocked? Do you think Mearsk have possibly paid, got unlocked then taken their systems back offline themselves to attempt to close the hole?

Reply
Share
  • 0
  • 0

When NBR was covering WannaCry, NetSafe's Martin Cocker said there was no guarantee that paying up would see your system unlocked. He also noted that malware makers sometimes prey on each other's hacks -- so sometimes a victim thinks they're paying the ransom, but in fact they're sending money to the wrong criminal.

Reply
Share
  • 0
  • 0

When NBR was covering WannaCry, NetSafe's Martin Cocker said there was no guarantee that paying up would see your system unlocked. He also noted that malware makers sometimes prey on each other's hacks -- so sometimes a victim thinks they're paying the ransom, but in fact they're sending money to the wrong criminal.

Reply
Share
  • 0
  • 0

A large organisation like Mearsk? Unless their IT team have completed *****d things up, you shut down the infected systems. Patch everything else to stop it spreading. Nuke anything infected and then restore from backup. Takes a little time, but is a lot safer in the long term than unlocking and trusting to the good will of the malware creator.

Reply
Share
  • 0
  • 0

It's important to note that this will remain an opportunity for exploitation so long as government bodies push for "back doors" to encrypted systems in order to spy on citizens carte blanche. WannaCry originally used an NSA exploit.

There is no such thing as a safe "back door". They are only ever security vulnerabilities that are ripe for exploitation.

Reply
Share
  • 1
  • 0

Indeed. The performance to date of government departments around the world in keeping such things secret says that it WILL leak and soon.

They cannot be trusted to keep such things secure.

Reply
Share
  • 0
  • 0

Also, why do they need our nudes in the first place?

https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-int...

Reply
Share
  • 0
  • 0

Was it an intentional back door or simply a bug in a system that was 16 years old and way past its use by date. If you don't want to get hacked spend some time keeping your systems current.

Reply
Share
  • 0
  • 0

The suggestion now it is a State sponsored attack aimed at the Ukraine which might explain more about the lack of any serious financial gain. If that is true it might be time to cash in any Russian shares before the CIA turn their lights out ...

Reply
Share
  • 0
  • 0

Aint computers just wonderful things NOT!!! Back in the good ole days you didnt have to reboot the pencil and paper. The pencil and paper didnt crash. The work got done all be it at a more leisurely pace and that wasnt such a bad thing. Didnt have people yelling at you in CAPITALS to reply instantly.

Memos got written and rewritten to ensure the Reply ALL disease didnt occur. Memos got sent and considered carefully before being replied to.

All in all a much more civilised time than the present ugly mess that is business as usual.

Reply
Share
  • 0
  • 0

And the girls in the typing pool didn't get all upset with a friendly pat on the bottom either. The good old days indeed.

Reply
Share
  • 0
  • 1

Chris - all these types of attacks so far seem to be based on Microsoft servers and PCs. Would I be right in assuming that Linux based servers and PCs cannot be hacked in this manner? Or is that an over-simplified view?

If Linux is, in fact, a sounder, less hackable system can we anticipate a wholesale switch to it?

Reply
Share
  • 0
  • 0

Like WannaCry, Petya only infects older versions of Windows on the desktop or servers. 

Many computer experts say Linux is more secure, but security is only one of a number of factors when organisations make decisions about which server or desktop software to use. Others include compatibility with software applications currently used by that organisation, and fear of the unknown.

Reply
Share
  • 0
  • 0

I would suggest because there are also few users of Linux and they on average tend to be more tech-savvy, it makes the effort required to target them and the potential reward for doing so much less attractive a proposition.

Reply
Share
  • 0
  • 0

It's as secure as the end user makes it. If the end user opens stuff and runs it (and assuming that it CAN actually run at all), then it can have the same sort of issues. However, at a very small %age of the overall computer base, there is very little profit in it for the types of people who make ransomware.

Remember that much the same thing was said about the Mac Operating System (immune to viruses etc.) until it got big enough to be worthwhile. Where upon it was discovered that this wasn't true.

Likewise a well secured Windows computer is unable to be targeted by this type of attack (I've lost track of the number of times staff have complained that they can't open "this important PDF someone sent me"). The downside of such security is that people have less control over their computers and the use thereof.

Reply
Share
  • 0
  • 0

Because Linux is less uniform than Windows, even if widely deployed it'd be less of a monoculture, making it much harder to target for malware. Windows is optimised for profit maximisation by MS, which means making systems as similar as possible - that's a recipe for disaster. No computers system is absolutely secure, but there're more Linux computers in the world today than Windows computers (just about all of "the cloud", Google, Facebook, Amazon, 80% of cellphones, most network routers and wifi access points, etc.) so I'd suggest that Linux *is* usually more secure. The problem is that tech unsavvy people (probably 90% of professional people) tend to run whatever turns up on their computer, and that's mostly Windows.

Reply
Share
  • 0
  • 0

Didn't microsoft release updates for older versions of windows to fix this bug?
Maybe pirated copies of windows in some countries(ie ukraine) is so common that Microsoft releasing a fix does little good because pirated copies of windows cannot connect to the windows update server to download the security fixes.

Reply
Share
  • 0
  • 0

Yes, Microsoft did release a fix (see link in article above).And, yes, your theory could be correct.

Reply
Share
  • 0
  • 0

Unlikely orgnisations will be using pirated windows. It's often expensive to upgrade the OS across a whole network esp in a larger org and theres alot of compatibility issues. These attacks are certainly a wakeup call for companies to invest more into IT infrastructure

Reply
Share
  • 0
  • 0

Even with WindowsXP out of support for a few years now, Microsoft still released a patch for it and that patch along with the Windows 7 through 10 were available months ago.

We've asked ourselves at work the question about compatibility of existing applications with older versions of Windows and the cost of having to upgrade and in some cases, replace the XP vintage applications completely if they couldn't be upgraded to be compatible with later versions of Windows.

The answer always comes down to the cost of the replacement versus the cost of days of productivity lost in the event of an outage meant that it was a no-brainer to sign off the replacement cost. Let alone the loss of reputation or consequences for our customers.

Reply
Share
  • 0
  • 0

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

NZ Market Snapshot

Forex

Sym Price Change
USD 0.7039 0.0012 0.17%
AUD 0.9220 0.0003 0.03%
EUR 0.6498 -0.0008 -0.12%
GBP 0.5633 -0.0002 -0.04%
HKD 5.4664 0.0089 0.16%
JPY 78.0520 -0.1770 -0.23%

Commods

Commodity Price Change Time
Gold Index 1225.8 -8.270 2017-02-13T00:
Oil Brent 55.6 -1.050 2017-02-13T00:
Oil Nymex 53.0 -0.900 2017-02-13T00:
Silver Index 17.8 -0.110 2017-02-13T00:

Indices

Symbol Open High Last %
NZX 50 7140.7 7174.6 7135.5 0.40%
NASDAQ 5753.2 5771.0 5734.1 0.52%
DAX 11698.0 11812.7 11667.0 0.92%
DJI 20338.5 20441.5 20269.4 0.70%
FTSE 7258.8 7298.5 7258.8 0.28%
HKSE 23695.3 23735.1 23711.0 0.02%
NI225 19478.9 19501.0 19459.2 -0.16%
ASX 5760.7 5794.9 5760.7 0.05%