PRESS STATEMENT
The management of Nigeria Information Technology Development Agency (NITDA) would like to bring to the attention of Nigerians another deadly cyber-attack, similar to the recent ‘WannaCry’ attack. This attack, called Petya ransomware or ‘GoldenEye’, not only encrypts files but also encrypts hard drives, rendering entire computer systems inaccessible.
An official statement released in Abuja by the agency and signed by its Director-General/CEO, Dr. Isa Ali Ibrahim Pantami states:
“The Petya attack has paralysed businesses across the world and is spreading quickly with reports indicating that countries affected so far include Ukraine, Denmark, Russia, the UK, Germany, France, Italy, Poland and the USA. The malware is spreading using a vulnerability in Microsoft Windows that was patched in March 2017 — the same bug that was exploited by the WannaCry ransomware.
“While our CERRT team is working round the clock along with other stakeholders to come up with effective defense mechanism for the Nigerian cyberspace, we are calling on Network Administrators in the public and private sectors as well as individuals to take the following measures recommended during the recent WannaCry attack:
- isolate the system from your network to prevent the threat from further spreading;
- remove the system from Network; and
- do not use flash/pen drive, external drives on the System to copy files to other systems.
As a general precautionary measure and as the security of systems is our collective responsibility, we would like to recommend that individuals and organisations should:
- regularly update their operating systems with the latest patches;
- regularly update their software applications with latest patches;
- turn off unnecessary/unneeded features;
- avoid downloading and opening unsolicited files and attachments;
- adjust security software to scan compressed or archived files; and
- avoid indiscriminate use of wireless connections, such as Bluetooth or infrared ports.
“The National Information Technology Development Agency (NITDA) is an Agency under the Federal Ministry of Communications. The Agency was established in April 2001 to implement the Nigerian Information Technology Policy and co-ordinate general IT development and regulation in the country. Specifically, Section 6(j) of the Act mandates NITDA to advise the Government on ways of promoting the development of information technology in Nigeria including introducing appropriate information technology legislations and ways of enhancing national security and the vibrancy of the industry.
“We, therefore, call on all citizens, especially critical stakeholders in the IT industry, to support NITDA in this onerous task by always following best practices as well as being proactive in the way information and systems are handled. These will help in minimizing risks of attacks as well as possible loss of vital information.”
TRENDING ONLINE – Six quick facts to know about today’s global ransomware attack
By Zack Whittaker
Tuesday saw a second major cyber attack in as many months, affecting several countries and dozens of major companies — and that’s just the start.
Some of the dust has settled throughout the day. Here’s what you need to know, now.
1. THE SAME ATTACK — BUT DIFFERENT
If you thought this was similar to last month’s WannaCry ransomware attack, you’d be right.
Just like last time, the unknown attacker used a backdoor exploit developed by the National Security Agency, EternalBlue, which leaked some months ago. The attacker installed the backdoor on thousands of computers, later used as a delivery vehicle for a ransomware payload.
Last month, it was the WannaCrypt ransomware, but this time, security firms Symantec and Bitdefender have confirmed that it’s a Petya ransomware strain dubbed GoldenEye, which doesn’t just encrypt files — it also encrypts hard drives, rendering entire computers useless.
Many of the initial reports of organizations affected came from Ukraine, including banks, energy companies, and even Kiev’s main airport. It’s spread to Denmark, Russia, the UK, and the US. At least one hospital has been hit by the ransomware.
So far, Kaspersky said there had been more than 2,000 separate attacks in the six hours after the initial infection, while the UK’s national cyber security declared a “global ransomware incident.”
2. NOBODY KNOWS WHO’S BEHIND THE ATTACK. BEWARE THE ‘NATION STATE’ RHETORIC UNTIL THERE’S EVIDENCE
It’s easy to want to assume that this could be a nation-state attack, given that blame is usually pointed at Russia for major cyberattacks or political meddling. In last month’s cyber attack, North Korea was a key suspect.
But there’s no evidence at this time to suggest a government is behind the attack.
The problem is that because hackers published the set of NSA tools used to carry out both last month’s and today’s attack, anyone can use them — from a nation state to a lone hacker.
Given that many are still poring over last month’s attack and still have yet to come up with any definitive answers as to who was behind it and why goes to show that attribution is extremely difficult, if not impossible.
3. SOME INFECTIONS ARE TRACED BACK TO ONE UKRAINIAN FINANCIAL SOFTWARE COMPANY
One security firm appears to have found a connection between a Ukrainian financial software firm and the possible “ground zero” of the attack.
Talos Intelligence said in a preliminary analysis that “it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc.”
That appears to have been confirmed by the company. “Our server made a virus attack. We apologize for the inconvenience!” said the note. (MeDoc later denied the claim in a Facebook post.)
“Essentially what happened is Medoc was hacked and they pushed out the malware via the update feature,” tweeted MalwareTech, a security researcher credited with finding and activating the kill-switch in the WannaCry attack.
Talos isn’t sure how MeDoc was hacked. It is investigating the possibility that an attacker emailed a malicious attachment to an employee on MeDoc’s network, but said it can’t yet be confirmed.
If proven to be true, that would lend more credence to the possibility that a nation-state attacker, or at least a very advanced hacker, launched the attack by hacking into MeDoc’s servers.
4. ONE POINT OF ENTRY CAN DESTROY A NETWORK — PATCH EVERYTHING
If you haven’t patched your systems recently, now might be a good time.
According to analysis by several security experts, all it takes is one point of entry to infect an entire network. That means if one computer out of a hundred hasn’t patched the EternalBlue exploit, released by Microsoft earlier this year, it can literally spread across an entire network.
In other words, all boats need to be patched as one wave can tip them all over.
Locally networked or enterprise users are at the greatest risk. So far, larger companies appear to be the most affected, including US pharmaceutical giant Merck, Russian petroleum company Rosneft, British marketing giant WPP, and Danish transport and energy firm Maersk,
The good news is that most homes with a single Windows computer are likely automatically patched and can’t be infected.
5. YES, THIS FLAW WAS PATCHED ALREADY BUT THERE’S ALWAYS ONE…
Microsoft released several security patches last month in the immediate wake of the WannaCry cyber attack, including for older versions of Windows that it doesn’t support anymore, in an effort to stop the malware from spreading.
The vast majority of home and business networks running the latest patches and fixes are safe from today’s attack.
But clearly, not everyone installed the patches.
Many computers and networks that run critical infrastructure — like train stations and airports — were directly affected by today’s ransomware attack because they are connected to networks that are vulnerable and aren’t patched. Many would prefer not to install patches immediately because they can, on occasion, cause more harm than good. But also many don’t want the downtime of restarting a computer — especially in 24-hour always-on environments, like transport hubs.
6: DECRYPTION IMPOSSIBLE?
And one last thing.
The email address displayed on the ransomware message has been blocked by the email provider, meaning nobody can get the decryption keys to unlock their computers.
That means anyone who paid the ransom — about $300 worth of bitcoin to the anonymous wallet — and confirmed their payment to the email listed on the ransomware warning message wasted their money. (At the time of writing, the bitcoin wallet had about $6,000, suggesting at least 20 people had paid the ransom.)
Posteo, an email provider used by the ransomware attacker, said in a blog post that it “blocked the account straight away” around two hours into the attack.
“We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases,” said the statement.
While you should never pay the ransom for reasons sister-site CNET explained, now you can’t even if you wanted to.