An employee goes to work and finds his computer is completely inoperable, with a notice that his hard drive has been taken siege by ransomware. All of his coworkers have the same easily recognizable text and graphic on their screens. They head out to lunch while IT scrambles to resolve the issue. He stops by the ATM to grab cash for lunch, but realizes that it too has the same ransomware note flashing on the screen, and the local deli’s systems have been hit, making it so they can’t even process credit cards. The employee soon discovers that all public transportation, the airport, the grocery store, the gas station and even shipping have been infiltrated by the same ransomware. Chaos ensues while the ransomware perpetrator discloses his monetary demands.
Though this storyline sounds like it could be a dystopian movie script, this ransomware attack was a distinct reality for Ukraine during the recent Petya ransomware attack, targeting the country’s very infrastructure. This social and economic disturbance was a sophisticated, well-engineered attack that took ransomware to a whole new level. In essence, ransomware is becoming weaponized.
Petya’s Debated Purpose
Speculating cyber warfare, however, seems too much of a stretch without other necessary information. The objective of this ransomware attack is still not clear. Though the authors just publicly demanded $250,000 or 100 bitcoin for the private encryption key, more than a week after the initial infections, it still seems the Petya is masquerading as a ransomware strain, and its main goal was not monetary gain. Here’s why: The ransomware included the same bitcoin address for every victim. Typical ransomware provides a series of bitcoin addresses going to dozens if not hundreds of bitcoin wallets to make it difficult for the public to see how lucrative the attack has been. The original bitcoin wallet has only received roughly $10,000 in payouts, and most affected companies have already resumed operation, limiting the amount of money the attackers can yield from their seemingly last-minute demand. What’s more, the attackers provided an email address, which is easily traceable by investigators. Ransomware for profit seems to be the window dressing, and experts can’t help but wonder if it was used as a tool for denial of services, economic disaster and social decimation, though we don’t know for certain.
Petya and EternalBlue
Here’s what we do know: The new Petya ransomware that attacked Ukraine and global computing systems is based on an older Petya variant, originating from the GoldenEye malware in December 2016. The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017. The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software. This is a great example of two malware components coming together to generate more pernicious and resilient malware.
Unfortunately, Petya is not an anomaly. Ransomware attacks are being deployed more frequently throughout the world, even so that ransomware-as-a-service has become a flourishing business. Petya comes just a month after the massive WannaCry ransomware attack, which was conducted by a North Korean hacking group and spread to 300,000 breaches across 150 countries. Because ransomware and other types of malware attacks are growing rampant, and can affect everything from postal services to aircraft manufacturers to television stations, all companies need to have their systems fortified against an inevitable onslaught of nefarious coding.
Companies should create an in-depth defense strategy to ensure the organization is insulated from these attacks. Patching critical items diligently, controlling applications and reducing privileges are all part of an effective layered approach to security that mitigates the environment. In addition, here are some additional security controls companies can implement to defend against attacks like this:
Threat protection: Antivirus is a necessary defense step that can limit propagation of an attack. Though antivirus may not be able to stop certain attacks before the damage is done, it can halt others dead in their tracks.
HIPS (host intrusion prevention system): HIPS or IPS systems act as great barricades against the new age of attacks, though they are often more difficult to tune and more difficult to implement. The SMB exploits follow reference implementations a HIPS system could identify, report on and shut down before the attack hits the system.
User education and training: User awareness is essential. It’s important that all company employees be on guard and on the lookout for any suspicious activity, as any one-entry point is enough to bring a flood of ransomware into an entire environment. With WannaCry and Petya, exploiting SMB was likely not the first entry point. It was more likely user-targeted attacks, like phishing, drive-by downloads and watering hole attacks. The more users are educated and aware of these tactics, the less likely the company will be penetrated.
Backup and restore: With ransomware so commonplace, it’s even more important to have backup software at critical endpoints. Having a recent backup allows companies to re-provision and restore user data quickly to get back up and running with limited disruption to daily workflow.
Provisioning: Paying the ransom is never advisable; a much better way to recover data from a ransomware attack is to have a good backup and re-provision the system to restore the data. Having a unified endpoint management (UEM) solution both enables an IT team to manage systems in a heterogeneous environment and provides response capabilities necessary to combat cyber threats.
Ransomware is advancing in its potency and power. Once these sophisticated strains, leveraging resurgences of technologies like EternalBlue and Petya, have a foothold within an environment, they can quickly exploit systems, remaining virtually undetected until entire master hard drives are rendered inoperable. But Petya goes beyond extorting money from individuals or individual companies, and makes ransomware attacks a widespread economic and social issue. For the security of their own data and for the future economy as a whole, it’s crucial that companies protect themselves against imminent threats.
Phil Richards, Chief Information Security Officer, Ivanti
Image Credit: WK1003Mike / Shutterstock