A wiper malware disguised as ransomware wreaked havoc this week, infecting the systems of numerous organizations across more than 60 countries.
While initial analysis suggested that this was a Petya-powered ransomware attack similar to WannaCry, further investigation revealed that the malware is actually designed to overwrite the master boot record (MBR) of compromised machines. There is no way to recover encrypted files, even if the ransom is paid.
The wiper, tracked as NotPetya, Petya.A, Petrwrap, exPetr, and GoldenEye, has leveraged various tools and exploits for initial infection and lateral movement within a network.
While major organizations around the world were hit by the ransomware, some evidence suggests that the attack may have actually been aimed at Ukraine.
Industry professionals have commented on the NotPetya campaign, including its implications, attribution, and why these types of attacks are still possible.
And the feedback begins…
Nir Giller, CTO, CyberX:
“Let’s face it — when the Shadow Brokers leaked the NSA’s hacking tools, they let the genie out of the bottle and there’s no putting it back in. We should expect to see all kinds of cyber-adversaries playing with and building on top of them. Some of us in the ICS cyber security community are braced for the worst – mainly that some creative hacker will find a way to cross-pollinate elements of WannaCry/Petya with the destructive payloads of the ICS-specific Industroyer/CrashOverride malware. If that were to happen, then we’re playing a whole new ballgame.”
Paul Innella, CEO, TDI:
“There are strict physical safety measures imposed on numerous industries like seat belts and airbags, yet we need look only at the current U.S. administration and their public stance on cybersecurity to see an instance of unbelievably insufficient governmental policy.
The entire Intelligence Community and the cybersecurity community which supports the government knows and has known the Russians have sophisticated teams and methodologies which have been attacking us for years. This administration seems to have turned a blind eye on our national defense given their consistent refusal to admit Russia’s complicity. This makes a bold statement that the White House has no intention of preventing, at a policy level, cyber-attacks. There are still gaping holes in the Federal CISO and White House CISO positions and we’ve not received any movement in policies or executive orders of any substance.”
Jason Kichen, Head of Cybersecurity Services, Versive:
“The evidence suggesting this week’s so-called ‘Petya’, or ‘NotPetya’ ransomware attack is, in fact, a destructive wiper-like attack points to the potential for even deeper concealment and cover techniques as different actors are emboldened to employ more attacks. The forensic analysis of this malware seems to indicate that it’s not ‘true’ Petya ransomware, but probably came from the same codebase. Someone picked up Petya, made a series of modifications, and sent it on its way with a new destructive mission. The modifications to the malware do not make it any better or stronger or more effective as a ransomware tool, but they did make it more effective as a destructive tool and – more importantly – kept a lot of people distracted with the ransom angle for days.
This possible deception reveals a key point: Considering the publicity that ransomware attacks receive, it would make a lot of sense to execute a targeted, destructive cyber-attack under the guise of a seemingly opportunistic, criminal-driven ransomware spree. Equally important – an attacker does not need a lot of advanced knowledge or tools to pull this off, re-purposing malware from the wild is commonplace, and packaging in leaked exploits requires only slightly more expertise. In so far as true attribution is even possible, there is likely far more to be learned by focusing on the specific Ukrainian victims and the initial attack vectors, versus the specifics of how the ransomware functioned.”
Tom Kellermann, CEO, Strategic Cyber Ventures:
“From Russia with love… The Cyber siege of Ukraine harkens the escalation of the conflict along the border with Russia. This cyber pulse is being directed by the Kremlin and is using cyber militias like CyberBerkuit to take down critical infrastructure. This should serve as a warning to NATO members that Putin is ready to take the gloves off.”
Hank Thomas, COO, Strategic Cyber Ventures:
“A senior Ukrainian Military Intelligence official was killed in a car bomb yesterday in Kiev. The Russians appear to be expanding their multi domain approach to their current campaign. Expect for there to be destructive attacks in the near future facilitated by cyber means. Much of what is going on right now is simply armed reconnaissance or reconnaissance by fire.”
Travis Farral, Director of Security Strategy, Anomali:
“A number of us in the security community are debating if the Petya attack on 27 June wasn’t a targeted attack on Ukraine, disguised as a ransomware attack on any organization caught up in the method used for infection.
There are details that support such a theory. The attackers behind the ransomware haven’t experienced much ROI despite the broad impact of the attack, they set up a weak payment process, launched the attack just prior to Ukraine’s Constitution Day and leveraged a malware family named for the pet name of Ukrainian President, Petro Poroshenko.
Intelligence is leaning towards the idea that the impact the attack had on Ukraine was a causal effect, and entities affiliated with campaign were caught in the crossfire of destruction or a diversion rather than ransom collection.”
Ajay Arora, CEO and Co-Founder, and Tom Conklin, Head of Security and Compliance, Vera:
“Companies are not keeping pace with the attackers. They are slow to patch and running vulnerable environments. While IT is patching yesterday’s attack the threat has evolved and attackers have moved on.
Our corporate culture is to blame. Many companies are either lacking the resources to aggressively patch, or they are concerned that patches could affect system availability (SLAs) so there is an incentive that if i
t ain’t broke don’t fix it.
This primarily affected European countries with the exception of Merck, for two reasons: They are much more lax about keeping up-to-date on patches, and they have a ton of pirated or illegal copies of software and thus don’t update software.
The NSA and government should do something about the genie that they let out of the bottle that is being exploited. They should be actively working to provide tools and at least recommendations as to how to close the vulnerabilities that they revealed. It’s costing the world countless amounts of dollars and is allowing the attackers to mount cyber warfare against companies, rather than simple theft.”
Ryan Kazanciyan, Chief Security Architect, Tanium:
“Many anti-malware tools focus on the most common vectors used in attacks: exploits delivered through office applications, web browsers and plug-ins, etc. As we’ve come to see, this distant-cousin of Petya was different: victims were infected by means of a third-party application’s automatic update function. Did some prevention software still catch the malware on day zero? Sure. But for plenty of others, this attack highlighted a blind spot. The so-called “next-gen EPP” market is now several years old, yet this generation still feels a whole lot like past ones. Attackers continue to innovate, adapt, and succeed against automated anti-malware solutions.
The solution isn’t to simply revisit our approach to malware detection and prevention yet again. Both WannaCry and this recent attack highlight fundamental failures of systems management technologies (and the processes built around them).
[…]
Time and time again, incidents like these demonstrate that businesses cannot ignore the root of their security problems in favor of quick band-aid solutions. There are far greater gains to be made by modernizing environments, adopting security mechanisms built into the latest operating systems, and building networks that are far more resilient to compromise or failure.”
Philip Lieberman, President, Lieberman Software:
“The quality and nature of cybersecurity within Europe is generally exceedingly poor compared to the United States. Government and industry are not operating in a cooperative manner as they do here in the US and the level of investment in security is comparatively very low as compared to here. At its core, Europe is a soft target for cyber attacks and there is little they have done to prepare or to react to the attacks. The lack of information technology security infrastructure and preparation is minimal in both government and businesses because of cultural and financial decisions of the last 20 years.”
Milind Kulkarni, vice president of product management, Veriflow:
“The ‘Petya’ ransomware malware responsible for Tuesday’s attack was especially virulent for two reasons; it appeared to use code sourced to NSA’s stolen hacking arsenal that was distributed by Shadow Brokers in March. Many of those tools consisted of zero days, which are impervious to most (if not all) network security products on the market. Second, the malicious code, appears to have been tweaked to behave similarly to the devastating ‘WannaCry’ ransomware attack in May. Both Petya and WannaCry spread laterally through open networks once they compromised a system. With this one-two punch, attackers were able to quickly take entire networks offline.
Because today’s network security products are essentially ineffective against zero-day malware, it is important for organizations to implement some form of network segmentation. Network segmentation splits networks into isolated subnetworks. The advantage to this approach is that it can increase network performance and overall network security. Using network segmentation, critical data and infrastructure can be isolated in one network segment, while employees are isolated in another. What’s more, employees and data could be microsegmented into even smaller groups. So, in the event of a catastrophic zero-day attack, the malware would only be able to affect those systems within the defined segment and would not be able to spread to other systems in the network.”