The Communications Authority of Kenya (CA) has advised online users in the country not to give into the ransom demand linked to Petya encrypting ransomware attacks, as the global cyber security community attempts to establish the origins of the virus responsible.

The CA says Petya is targeting Windows operating systems by denying users access to data until a ransom has been paid, similar to the WannaCry ransomware virus which also attacked computers across the world in May this year.

Christopher Kemei, Director of Licensing, Compliance and Standards at the CA, said, "Once a computer has been infected with the virus, it tries to infect other computers within the network and denies users access to their information. The Authority has warned the public against yielding to ransom demands. To stay safe, the Authority through National Kenya Computer Incident Response Team (KE-CIRT) advises computer users to observe a number of precautions including ensuring they have an up-to-date backup of their files offline to ensure the information can be easily restored in the event of an attack."

Kemei has also discouraged consumers from clicking on links or opening attachments or email from unknown sources. "Unless you trust the source, do not enable macros and instead delete the email immediately and permanently."

He adds that routine anti-virus and operating system updates work well as preventative measures.

The CA entered into an agreement with the United States to ensure open, interoperable, reliable, and secure cyberspace during the inaugural US-Kenya Cyber and Digital Economy Dialogue which took place days before the Petya attack.

The commitment to combat cybercrime and promote cybersecurity was also accented to by Kenya government agencies including the Office of the Attorney General, ICT Authority and National Communications Secretariat.

Establishing origins of Petya

Rick Rogers, Area Manager for East and West Africa at Check Point Software Technologies has noted that when it comes to Africa "apart from the global press coverage received that increased the visibility of Petya, no major occurrences have been reported in the field."

Rogers does add that Check Point's Incident Response Team has been responding to multiple global infections caused by the variant of the Petya malware, which first appeared in 2016 and is currently moving within customer networks.

He says Peyta is propagating quickly across business networks in the same way WannaCry did in May.

"Unlike other ransomware types including WannaCry, Petya does not encrypt files on infected machines individually: instead it locks up the machine's entire hard disk drive."

Anton Cherepanov, Senior ESET Malware Researcher who has been working to establish the origins of the latest outbreak of Petya, says longitudinal research points to similarities between multiple campaigns by the TeleBots cybercriminal group in Ukraine, and aspects of their evolving toolset in attacks between December 2016 and March 2017, and the Diskcoder.C (akaPetya) outbreak that took place on 27 June.

"The parallels to the December 2016 attack against financial institutions, and the subsequent development of a Linux version of KillDisk malware used by TeleBots are strong clues. It was these indicators, alongside mounting attacks on computer systems in Ukraine, that warranted a deeper look at TeleBots," added Cherepanov.