‘Nyetya may not have been about making money’

June 29, 2017


The latest computer virus that has affected companies and institutions around the world may not have been ransomware — its purpose could have been political, believes a leading cybersecurity expert.

The virus was “unusual” as it had only one wallet and one email linked to it and “may not have been about making money”, according to Craig Williams, senior technical leader at Cisco’s cybersecurity division Talos, which has been tracking the virus, called Nyetya.

Ransomware usually advertise multiple wallets and emails so that money can be collected from the companies whose data has been affected, said Williams.

“Looks like someone has been trying to design something that looks like ransomware,” he added.

In the case of Nyetya, with the wallet and email blocked almost immediately, there was no way the affected companies could make payments, even if they wanted to, he added.

The fact that the attack seemed to have been aimed at Ukraine and came ahead of the country’s Constitution Day, pointed the needle of suspicion at a political purpose, Williams said, adding, however, that it could not be said with certainty that it was a state-sponsored attack.

He said the fact that the virus had affected other countries and companies outside Ukraine could have been a case of “collateral damage”, with the networks of companies that did business with that country becoming infected.

“We believe that’s what’s happening,” he said.

The new cyberattack began massively affecting dozens of companies and institutions in the world, beginning with Russia and Ukraine on Tuesday, and spreading to Asia, Australia and the US.

According to Williams, Nyetya is the first virus to use three lateral vectors — Elernal Blue (same as WannaCry) and PSExec and WMI, both legitimate Windows administrator tools.

WannaCry had affected 200,000 people in 150 countries in May, encrypting data on infected computers and asking for a ransom to recover them.

However, WannaCry was “not much of a financial success”, said Williams, as it only made about $30,000 in the first week.

Such attacks were soon going to be common “as more and more people look to make money from ransomware”, warned Steve Martino, Cisco’s chief of information security, adding that companies need to be proactive in protecting their networks.

India, meanwhile, has largely remained insulated so far from the latest attack.

The shipping ministry on Wednesday said operations at one of the container terminals at Mumbai’s Jawaharlal Nehru Port Trust (JNPT) were impacted due to a global cyberattack.

According to the ministry, a private terminal operator at the JNPT was taking steps to address the issue. It was anticipated that there could be bunching of in-bound and out-bound container cargos.

“We have been taking proactive steps… we have sent out advisories (on the cyber attack and the malware)… India is not much affected at this stage,” IT minister Ravi Shankar Prasad said at an event in New Delhi.