The global WannaCry ransomware attack launched a few months ago was unprecedented in relation to its scale; however it was highly unsuccessful in terms of profits, making an estimated few hundred thousand dollars from hundreds of thousands of victims. Similarly, the characteristics of the Petya attack spreading across the world in late June (dubbed not “NotPetya”) indicate that its primary goal may not have been to generate revenue for its instigators.
The intent of this malware is not to encrypt everything on the disk, but only the Windows Master Boot Record (MBR), which lets the malware spread out much more quickly. The malware depends on admin privileges to gain access and spread. After spreading and encrypting the system files, the system is rendered unusable.
Like the original Petya attack of 2016, the NotPetya version encrypts the Windows Master Boot Record (MBR). It then schedules a reboot of the infected system, instead of rebooting immediately, after which system files are encrypted. The delayed reboot gives the attackers time to use that system as a “launch pad” to reach out to other connected systems.
So what’s different about NotPetya?
What’s different about Petya compared to a typical ransomware attack is that it appears to have been designed to be malicious attack, while masquerading as a ransomware strain. For instance, Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.
Petya also urged victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network designed to host websites and is difficult to take down.
This is ransomware as window dressing only, and not ransomware as an actual attack attempting to extort money from victims. Instead, the key objective of this attack appeared to be broad disruption of business operations across Ukraine, with over 80 Ukrainian companies affected by the attack, including banks and utility providers. This was weaponised malware targeted mainly at a single target.
So what does it all mean?
Ransomware is becoming more sophisticated and more of a weaponised tool. One thing to recognise is that a lot of the proliferation capabilities were focused on internal networks. There was not a tremendous focus on expanding outside of those specific networks, which indicates that this Petya attack was designed for disruption, not revenue generation.
WannaCry was supposed to be a wake-up call for people and companies to update their computers with the latest software. The NotPetya attack has taken ransomware to a new level, using tools that created a widespread, disruptive attack, not only on businesses, but at a social and economic level. In another words, this latest Petya attack is clearly not just about our businesses anymore. It’s about the people around us and the economies around us.
The effects of this attack are likely to persist for some time to come. In fact, FedEx’s European business, TNT Express recently revealed that NotPetya cost the business $300 million in lost revenue, leading to the company to consider taking out cyber insurance. Meanwhile, there are other vulnerabilities already apparently being exploited in the wild that could enable similarly disruptive attacks in the near future.
How to mitigate against weaponised ransomware
If you are keeping current on your Windows security updates, you’ve got the targeted vulnerabilities mostly patched. But patching alone is not enough. These two most recent wide scale ransomware attacks (WannaCry and Petya) underscore the importance of a defense-in-depth strategy. It can start with timely, comprehensive patching, but must also include application control (to limit the ability to run WMIC and PsExec), antivirus and privilege management.
An attack this sophisticated was designed to be able to get around one or two security measures, making a multi-layered approach mandatory for effective defense. The bottom line is that there are some initial attack vectors you are not going to be able to defend against. However, what you can do is arrest their deployment throughout the rest of your environment.
It’s only a matter of time before the next global weaponised malware attack hits, so it’s more important than ever to ensure you are prepared – and that your data is backed up in the event of an attack.
Michael Bosnar is vice president, ANZ, at Ivanti.