Financial Services Ireland


“NotPetya” ramsomware – the new normal, or not really what it seems?

Read more

For the second time in as many months we are seeing a large-scale cyber-attack campaign which is impacting businesses globally. Leaving the finer technical details aside, at first it appeared similar to the WannaCry attack widely reported in May, however it is now looking like there may be different motives behind the attack.

Ransomware has been around for decades, only gaining prominence in the last 5 or so years as its impact has been felt by more victims globally. It’s a relatively straight-forward form of extortion in that a computer typically becomes infected due to the user opening a malicious attachment in an email or in this case, visiting a website which has been compromised and loaded with the malware. The malware proceeds to disable the computer and/or encrypt the users data (and any data on other computers which can be legitimately accessed by the user) and asks the user for a ransom payment in Bitcoin to give them access to their data again.

As with the WannaCry malware, the Petya malware (also known as NotPetya or GoldenEye) also has the ability to automatically spread to computers within reach, without requiring any interaction from legitimate users. In this way it is more like self-propagating malware (commonly known as ‘worms’), which makes it a far bigger issue for companies and other organisations who rely on large networks of interconnected systems (as opposed to personal/home users whose networks are smaller and who can patch more easily).

READ: WannaCry – The latest evolution of Ransomware

In line with the majority of malware, the Peyta malware exploits at least one already known vulnerability (for which a patch has been released), but also combines a variety of other techniques to propagate itself and infect other machines within targeted networks. So, while it would be very helpful for organisations to have applied the patch released by Microsoft back in March, it would not necessarily have stopped this attack.

Initial intelligence suggested that this was yet another ransomware attack, where the intent is simply to make relatively small amounts of money ($300-900) from a large number of victims. However we have since learned that the malware used in this attack was not actually ransomware but more akin to a wiper malware that permanently encrypts all data on the infected systems. In fact, the malware appears to be purposefully designed to not include the capabilities to decrypt and recover the encrypted data. The attackers also appeared to be using a single Bitcoin wallet (similar to a bank account) to receive the ransom monies and a single email address to communicate with victims. This is strange for ransomware in that it’s very easy to shut them both down (which they were), thus depriving the attackers from reaping the rewards of their crimes. While it’s unlikely that we will ever uncover the true identity of the attackers or their motives, a number of plausible explanations exist:

  • They released the malware by accident
  • They released it on purpose to test it and the new techniques it leverages
  • They released it on purpose as a cover/distraction for their real intent

Given the actual impact of the malware was to destroy computers and data, with no prospect of returning access to the data even if the ransom was paid, it’s highly likely this attack was a targeted ‘Wiper’ malware, designed to simply destroy systems and data (using the ransom note to distract attention from this real intent). Its initial impact was organisations in Ukraine, likely the primary target. However, as with any self-propagating malware, not even the authors can control where it ends up, leaving collateral damage in numerous other countries.

Protecting your organisation against Petya and other Ransomware

The advice on how to protect yourself remains the same as ever:

  • Learn to recognise phishing emails – don’t click on web links or open attachments contained in them – roll-out a continuous user awareness programme, ensuring users are trained at induction and at regular intervals so they can recognise and report on potential attacks.
  • Stay up-to-date with vendor fixes for whatever software you are using by applying patches regularly – ensure an organisation-wide vulnerability management programme to identify these vulnerabilities regularly and manage them through to when they are remediated.
  • Make regular backups of your important data, store them safely and test that they work.
  • Use a firewall to keep your computer protected from the Internet – and in this and the WannaCry case, disable access to the SMB and RDP protocols, at a minimum for computers directly connected to the Internet, and also consider for all internal computers.
  • Ensure your Microsoft Windows account is a user-level account, not a privileged administrator one, as well as ensuring that users only have access to the data they need to, and nothing else.
  • Disable any features or network services you don’t need on your computer.

Although the motives appear different, organisations impacted by this or the previous WannaCry attack should take it as a final wake-up call that cyber-attackers are not going away and basic cybersecurity measures can significantly reduce the risks of becoming a victim in the first place. Focus on educating your users to spot and prevent attacks (by not clicking where they shouldn’t) whilst also patching known vulnerabilities and making changes to how systems are configured in order to defend against the various techniques this current attack leverages. If this fails, ensuring you have working backups is critical to survival.

We are still in the early stages of learning about this attack, particularly the finer technical details of how it is executed and therefore how best to respond. EY will continue to provide detailed technical updates as our research teams uncover further details of the attack.

Get in touch with me, Hugh Callaghan or your usual EY contact for more information on how to protect your organisation from cyber security attacks.