A new ransomware variant has hit organizations across the world. It shares a name with similar ransomware strains from 2016, Petya/NotPetya. At this time, it seems that governmental and infrastructure organizations in Europe were most affected by this malware. Petya is exploiting a vulnerability in Microsoft Windows presumed to have been discovered and weaponized by the National Security Administration (NSA). Earlier this year, this cyber weapon, called EternalBlue, is believed to have been stolen and released publicly by a group called the Shadow Brokers.
Petya has only a few similarities to WannaCry beyond the use of EternalBlue. The threat actors who deployed Petya appear to have learned from WannaCry, and they seem to have used additional offensive techniques including the following:
It is not clear if this new Petya ransomware has any connection to the Petya ransomware of 2016, although it uses similar tactics including the full-disk encryption. Crowe Horwath LLP has seen these tactics in other ransomware, such as Mamba and Micha released in 2016, but there is no clear connection to a specific threat actor or group or to the intent of the ransomware.
While the malware is sophisticated in the use of credential theft, lateral movement, and full-disk encryption, questions remain about the authors’ intent and plan for the malware. This strain used a public email service based in Germany called Posteo, which took the email account down after the outbreak became public. Approximately 32 payments were sent by victims to the bitcoin address for payments before the email address was taken down. Additional payments were made after Posteo took down the email. Currently, the Petya malware has no way to be decrypted and no way for victims to contact the authors or receive a decryption key.
The fact that WannaCry had a kill switch greatly reduced its effectiveness and ability to spread. Could this have led some organizations to feel safe or overconfident once they learned hitting the kill switch was possible?
As Crowe has previously shared on its Cybersecurity Watch blog, WannaCry could have been prevented with basic and sound information security practices. The practices shared in a May 15, 2017, post remain 100 percent relevant.
When meeting malware threats, organizations don’t need special protections. They simply need to use a layered security approach to protect themselves. Organizations should consider implementing the following tactics:
Ransomware is here to stay, and it will be part of cybersecurity for the foreseeable future. According to the 2017 Verizon Data Breach Investigations Report (DBIR), “51 percent of data breaches analyzed involved malware. Ransomware rose to the fifth most common specific malware variety [and] saw a 50 percent increase from last year’s report, and a huge jump from the 2014 DBIR where it ranked 22 in the types of malware used.”
Although we do not have all the information regarding Petya at this time, it is clear that the organizations that have been affected by this latest ransomware do not have all these above-mentioned practices in place. Especially after all the press coverage about the critical importance of installing MS17-010, why are so many organizations still vulnerable to these threats? Industry is replaying old mistakes. Did global organizations not learn after the Code Red computer worm in 2001 (Microsoft Security Bulletin MS01-033), in which a patch also was available one month before the vulnerability was exploited?
Implementing sound information security practices can be a challenging task for some organizations. As the saying goes, “Security is a journey, not a destination.” While the list of recommendations here can appear simple, each one of these line items represents a comprehensive program. And each has budget, people, process, and technology components that need to be accounted and planned for and correctly executed and monitored.
Security is everyone's responsibility. Sometimes it’s necessary to bring an external specialist in to help understand the specific challenges. Until these program items can be properly addressed, organizations will still be vulnerable to each new variant of ransomware and other similar malware. Complacency is not an option because now more than ever, the question is when, not if.
So, in the meantime, what should you do about Petya?
For comprehensive, in-depth cybersecurity guidance, contact us.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.
The personnel of Tru8 Solutions LLC have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides Tru8 clients access to a broad range of products, services, and solutions, while deepening the Crowe GRC technology expertise to manage risk by better leveraging data and gaining more predictive insight.