Once again, mass reports are circulating of a ransomware attack sweeping across the globe.
Believed to be a variant of Petya, affected users are confronted with a screen that states that all of their data is encrypted and can be unlocked with a key that can be purchased for a ransom. The most recent victims seem to include pharmaceuticals company Merck, the law firm DLA Piper, Spanish food giant Mondelez and Danish shipping concern Maersk.
Two early forensics points seem to be worth noting. It appears the attack is exploiting the same Microsoft vulnerabilities as the WannaCry software did in May. This wave is explicitly targeting organizations who may have found it more difficult to upgrade all of their systems due to the need to have the systems on-line for business reasons. Additionally, as is the case with most sophisticated attacks, the signature of the Petya variant is not recognized by most anti-virus updates.
What Lessons Can Be Learned?
There are several, but let's touch on a few key takeaways.
It has long been known that relying solely on anti-virus or other signature detection approaches to protect against malware is risky. Today's cyber criminals are nothing if not sophisticated. They have the same anti-virus updates as you do and can easily alter the signature of their variants to remain undetected. Anti-virus is no defense against a dedicated attacker that has your data in their sights.
Keeping systems up to date with security patches is a must. As can be seen in both the WannaCry attacks in May and this weeks Petya, some companies weighed the cost of downtime against the risk of a ransomware attack - and lost. Again, we aren't dealing with some overaged juvenile with social issues and uber-nerdy hacking skills here. Today's attacks are being brought to us by well-funded cybercriminals who strategically plan the most effective attacks that will yield the best return on investment. They know who is likely to be vulnerable. So if you fit the profile (reliance on data, too busy to upgrade your systems) you will be a prime target.
Cyber security awareness training is critical. Studies across a number of industries are pointing to the fact that the majority of attacks are successful because of insider intended or unintended actions. Phishing schemes and social engineering top the list. If you haven't started training employees on how to recognize suspicious emails and social content you are severely behind the curve.
Make sure your business partners take your security as seriously as you do. A common attack vector is through one of your suppliers, outsourcers or other types of business partner with access to your trusted networks. Make it a condition of doing business that you regularly audit their security practices and that they undertake employee cyber awareness training.
The importance of data sharing in today's economy likely means that your organization routinely exchanges data with external partners. These transmissions should be encrypted, checked with anti-virus and access should be restricted to Multi-Factor Authentication.
Too many companies have focused solely on perimeter and end-point defenses only to be attacked through the data transfer tools they use in everyday business. Access to an FTP platform is like finding a pot of gold to a cyber criminals. It offers clear command and control to carry out their attacks from within your networks. Make sure you are using the most secure and compliant means of data sharing available such as a Secure Managed File Transfer system.
As is typical, within 24 hours of the first posting of this blog, new information has emerged from forensic analysis of the attack. Examination of the code suggests variations from Petya significant enough that analysts are referring to the malware as NotPetya or Petnya.
Some of these variations also suggest that the motivation was not financial as the attacker used an extremely inept payment mechanism. The ransomware demanded payment to a single email address which was quickly blocked by the attacker. Thus the payment could never be made.
Analysts now believe the attack was likely state sponsored and aimed at the Ukraine government. The attack first surfaced in the Ukraine using the software distribution mechanism for an accounting application used by firms doing business with the government.
In any event, the above cyber security precautions are still applicable.