In the Aftermath of the 'NotPetya' AttackHow to prepare for the next malware outbreak that threatens business continuity By: Secureworks
Overseeing cybersecurity risk and responding to stakeholder concerns can be a complex task, particularly in the case of a fast-moving crisis like Tuesday’s global ransomware attack. While it appears the worst of the outbreak is over, here’s what we’ve learned along with recommendations for engaging the broader business to protect against the next one.
What is the ‘NotPetya’ attack?
NotPetya is a malware that has caused disruption this week to companies, infrastructure, and governments around the globe. It was incorrectly identified as “Petya” or “Goldeneye” yesterday by most media and some industry reports, but SecureWorks® does not see sufficient overlap between this current malware and the Petya or Goldeneye variants, so we will continue to use its assigned name, “NotPetya.”
- At this time we believe that companies who have not already been infected are unlikely to be. However until it is clear that NotPetya no longer poses a risk, companies should continue to implement the precautions recommended by our Counter Threat Unit™ (CTU). Our CTU researchers will also share additional guidance in our NotPetya Analysis webcast.
- It is not a variant of WannaCry, but is similar in that it can self-spread and scale globally. It uses stolen credentials and exploits vulnerabilities to spread rapidly through impacted organizations, encrypt files and request a ransom of $300 Bitcoin.
- The “who” behind the attack is still unconfirmed. However SecureWorks is increasingly confident that this was likely a disruptive attack masquerading as a ransomware campaign, and that poor execution on the money-making aspects of the campaign reflects that the ransom was a lower priority for the actor. We are also weighing the possibility that Russia-based actors are responsible.
- From a security perspective, this attack was more difficult than WannaCry to defend against. As well as using exploits, it leveraged a multi-layered set of tactics that involved stealing credentials, accessing legitimate business tools, and using them to illegitimately propagate and infect systems.
Why it is important?
This new outbreak once again underscores the slow pace at which public and private entities are patching software and applications for “known” critical vulnerabilities. Patching is a standard IT hygiene practice that is just as dependent on people, process and governance as it is on technical execution. The original patch for EternalBlue was distributed to the public in March 14, 2017, for example. However in this case, we saw why validating third party software updates is just as important as executing the patches themselves. Some companies who did have good patch protocol were still infected because the malware traveled via a fresh internet update to an accounting software prevalent in Ukraine. When companies accepted an update to that accounting software without validation, they became infected.
Based on current knowledge, the primary focus of the outbreak was in Ukraine and organizations who have business operations there. Overall, it has reportedly impacted industrial infrastructure, banks, transportation, pharma, food companies and governmental infrastructure. From our own visibility and public reports, the scope of impact for some companies was significant. Loss of factory automation and operational shutdowns for shipping have been reported.
Executives are encouraged to seek an immediate understanding of the following potential impacts of any attack that makes systems unavailable to the business user:
- Remediation: If you are not yet affected, ask security and IT leaders about the remediation requirements necessary to protect critical assets in the short term and if there could be operational impact.
- Recovery: If your organization is affected but runs regular backups for critical files, those files can likely be restored, even if they are encrypted by NotPetya. Evaluate what business continuity issues might be encountered while a restore is taking place.
- Loss: Worst case, no backup has been performed on the affected files, and they are permanently inaccessible. In addition to the continuity impact, will there be remediation costs to remove and replace vulnerable systems and software?
- Regulatory Exposure: Evaluate your regulatory exposure and ensure that appropriate agencies have been contacted if you are affected by NotPetya so that timely notification and remediation is evident, and proper documentation is maintained.
Recommended Executive Action
- Know what critical data and files might be at risk of encryption from ransomware. Verify that data is properly classified to identify what data should be prioritized for backup protections.
- Ensure that robust backup and restore plans are in place for those assets.
- Ensure that you have a multi-layered security strategy that does not rely solely on prevention.
- Access a wider range of threat intelligence via information sharing and third parties.
- Monitor vulnerability management: e.g. timely patching is essential, but also be sure that compensating controls are in place in the event a deadline becomes unrealistic.
- Review the incident response plan: understand business continuity issues, communication flow, ownership, and capabilities for rapid response.
- Invest in culture and training, particularly user awareness of suspicious links and attachments.