Petya attack: Maersk partially recovers, taking pressure off ports of Auckland and Tauranga

PLUS: Petya revealed as a politically-motivated "wiper" rather than ransomware, with no chance of files being returned.

UPDATE 2pm Friday: Maersk says it has partially restored its global logistics system following the Petya malware attack that started Wednesday NZ time. 

In a statement emailed to NBR at midday NZ time, the company said, "We are pleased to let you know that Maersk Line is open for business as we are again able to accept bookings via INTTRA. Our vessels are sailing and loading cargo. Some restrictions remain as not all systems are up and running but we are collaborating with cyber-crime agencies and IT industry leaders to reinstate services fully."

The Maersk update was sent via a Hotmail address – an indication that things aren't 100% hunky dory.

Spokespeople for the ports of Auckland and Tauranga could not immediately comment on what degree of access had been restored to Maersk's system for digitised load lists and instruction for cargo release. But both said operations were running to schedule. In the Ports of Auckland's case, it has only had one ship, with a limited number of Maersk containers in dock. 

Tauranga has managed to use old-school methods to manage the unloading of the 9650-container Svendborg Maersk yesterday, while the 4041-container Leda Maersk is to unload today.

Meanwhile, there are still no reports of Petya attacks in New Zealand, says Rob Pope, director of govenermnet cyber-security agency Cert (Maersk's global operations were affected after its servers in Europe were compromised).

Increasingly, the malware looks like a politically-motivated attack on the Ukraine, as opposed to the for-profit WannaCry that targeted companies worthwhile. Maersk and others affected appear to be collateral damage.

Petya attack: Port of Tauranga switches to manual systems to unload Maersk ship
UPDATE Thursday 11am
: The Port of Tauranga has been forced to switch to manual systems to unload two Maersk vessels after a Petya malware infection saw the shipping giant take its global logistics system offline after its computers in Europe were compromised.

However, commercial manager Leonard Sampson says there have not been any delays or downtime.

The 9650-container Svendborg Maersk was unloaded yesterday, while the 4041-container Leda Maersk is in port today.

"We are exchanging critical information with Maersk via an alternative email system," he says, referencing the shipping company's switch to Gmail and old-school pen and paper.

“At this point, it is business as usual at the port and no disruption is expected," Mr Sampson says.

Meanwhile, the head of the government's Computer Emergency Response Team, Rob Pope, says that around 36 hours into Petya attack, there are still no reports of local infections.

Mr Pope warns anyone who does get hit by Petya that they will have zero chance of getting their files back if they pay the $US300 ransom.

That's because Petya (also known as NotPetya) has now been revealed as a "wiper" rather than ransomware. After infecting a computer, it wipes its master boot record, destroying files so there is no possibility they can be returned.

Another difference with the earlier WannaCry attack is that an email address to contact the attackers for payment was disabled early on — and the hijackers seem to have no interest in providing alternative channels of communication (as is usual with ransomware).

The purely destructive nature of Petya seems to relate to the fact it seems to have been targetted at infrastructure operators in the Ukraine (although it has subsequently spread to Europe and elsewhere).

Tech commentator Bill Bennett speculates that could mean a state actor is behind the attack — namely, Russia — rather than show-off or hackers or organised crime.

Petya threatens ports of Auckland, Tauranga
UPDATE Wednesday 6.15pm: 
Shipping giant Maersk has confirmed its global operations software have been hit by the Petya ransomware attack.

Ports of Auckland spokesman Matt Ball says the Danish company has had to shut down its entire system to prevent further exposure.

"Until this is resolved, Maersk has no means of receiving load lists, discharge lists or instructions for cargo release. They have even closed down their email servers and are communicating via Gmail," Mr Balll tells NBR.

So far, Maersk's problems have not had any impact on the port's operations — simply because there are no Maersk ships being unloaded.

But that will change on Friday when a container ship from Hamburg Sud, carrying Maersk containers, is due to arrive in Auckland, its first stop before the Port of Tauranga, which is now the main local Maersk port (Hamburg Sud was bought by Maersk in April, but the deal is still being finalised and their systems have yet to be integrated).

And on Sunday a Maersk vessel is due in Auckland.

Cert warns against new ransomware attack called Petya
Wednesday 9am: Crown cyber-security agency the Computer Emergency Response Team (Cert) is warning that a new ransomware threat is sweeping the globe.

It says so far there have been no reported local attacks.

Like the recent WannaCry, Petya — back in a new form after previous attacks — targets computers running older versions of Windows by exploiting the "Eternal Blue" vulnerability in Microsoft Small Business Server.

It encrypts files on a PC, displaying a flashing red-and-white skull and crossbones before a demand for $US300 to free them.

The Petya attack began in the Ukraine earlier today, where there are reports of the postal service, a telco and other organisations being hit. It then spread to Europe, where Danish shipping giant Maersk was among those infected, according to the New York Times. There are now reports of attacks in the US. And ABC News says a Cadbury chocolate factory in Hobart has been hit.

NZ Cert is advising organisations running Windows XP through to Windows 2008 R2 and Small Business Server to install the security patch released by Microsoft at the time of the WannaCry attack (it's on Microsoft's website here).

More broadly, the advice from security professionals remains the same: Make sure you’re using the most up-to-date versions of all your software – not just your security software. Don’t click on suspicious links or email attachments (which are not used to spread Petya but it’s good practice). And make sure you have backups and test them.

Petya flashes a white-and-red skull & crossbones on an infected PC before demanding a ransom of $US300 be paid in bitcoin.

The creators of WannaCry were never caught. Symantec cyber security strategy manager Nick Savvides says his company has found evidence linking the attack to the Lazarus Group, a criminal enterprise with ties to the North Korean government.

But whether perpetrators are caught or not, he says get ready for more ransomware attacks, which he describes as "the new normal."

Should you pay a ransom?
Cert NZ, Netsafe and the police recommend not paying a cyber-ransom. They say it only encourages more crime, and there's no guarantee you'll get your files back.

Contrarian lawyer and intellectual property expert Michael Wigley says victims should consider paying up. Files are often returned, and the amount of money is low if they're not. When dealing with real-world pressures, including their duty of care to retrieve client files, companies need to be pragmatic, he says.

Cert was recently created by the government to monitor cyber threats and help co-ordinate a response. It won't help you get rid of malicious software, but if you're infected by ransomware, it can point you in the right direction to find help, or to the appropriate law enforcement contacts.

Login in or Register to view & post comments