Here we go again! In the aftermath of the WannaCry ransomware attack in May, on June 27, a “copycat” entity identified as Petya/Not Petya perpetrated a ransomware-style worm that exploited the known Microsoft Windows vulnerabilities EternalBlue and DoublePulsar. The EternalBlue exploit is generally believed to have been developed by the U.S. National Security Agency (NSA) and was also used by the WannaCry ransomware. As with WannaCry, this attack also affected computer systems worldwide, quickly spreading to at least 60 countries. Several large businesses, transportation networks, public utilities, and government agencies in Europe and the United States were hit.
This attack was initially focused in Ukraine and Russia. ATMs at the National Bank of Ukraine were disabled across the country, and systems used to monitor radiation at the former Chernobyl nuclear power facility were interrupted. Rosneft, the largest oil company in Russia, was also attacked. Petya/NotPetya spread like WannaCry, hitting one of the world’s largest container shipping companies, Copenhagen-based A.P. Moller-Maersk, as well as WPP in London, one of the world’s largest advertising agencies, and entities in Spain and France.
Like WannaCry, Petya/NotPetya encrypted hard drives, and the message from the attackers demanded a ransom of $300 to be paid in the form of Bitcoin. The message read, “If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
Differences between WannaCry and Petya/NotPetya
Petya/NotPetya was more sophisticated than the WannaCry worm in its scope, resistance to neutralization, and range of targets. This attack spread rapidly within organizations using common IT administration tools, which are not recognized as malware by typical security defenses. The Petya/NotPetya worm appeared to have hit a third-party software vendor. Such approaches, which have historically involved targeted intrusions, now appear to have spread to the large-scale global malware attack spectrum.
Unlike WannaCry, unfortunately, there is apparently no “kill switch” embedded in Petya/NotPetya. Thus, the potential to recover lost data by paying the requested ransom is clearly in doubt. The low amount of the initial ransom (which falls in the WannaCry ransom request range) and the attackers’ inability to be contacted has caused confusion over the origin and purpose of the attack. It is still not clear whether state actors or freelance blackmailers (or a combination of both) are responsible. The fact remains that the only known method for retrieving the data encrypted by Petya/NotPetya is from a backup copy.
To date, most ransomware has been able to avoid detection because these strains are zero-day exploits unknown to signature-based antivirus software. Their creators research antivirus solutions to uncover the weaknesses they can exploit to avoid discovery. Ransomware distributors generally encrypt their software to help shield it from detection.
Recommendations for broader cybersecurity protections
Obsolete versions of Microsoft Windows continue to reveal their vulnerability to these attacks. Clearly, your organization should already have or should now be taking steps to update your Windows operating systems. If you cannot eliminate outdated, unpatched Windows systems, we recommend segmenting your networks to reduce the available attack surface.
Petya/NotPetya spread within organizations using the administrative tools Windows Management Instrumentation Command-line (WMIC) and PsExec. The exploitation of these and other common IT admin tools by attackers allows malware to move undetected within networks. Their use in a widespread, automated global attack is a fresh approach. This fact underscores the urgency of implementing threat detection and response solutions and leveraging trained cybersecurity staff and experienced partners to help identify and contain the Petya/NotPetya type of attack.
In addition, frequent backups and comprehensive system recovery plans will help sustain business continuity. Critical data and programs should be backed up in a manner that will enable rapid recovery, given the expectation that we’ll continue to see new forms and unknown sources of cyber attacks. This holds true across the spectrum of cyber attacks and intrusion threats.
Your organization should continue to focus on the imminent security risks posed by third parties, review risk-management processes, and institute necessary controls that will help mitigate potential damage. To this end, the secure operations map can be a powerful tool to manage a comprehensive approach to cybersecurity.
We now face a globally interconnected digital environment that is subject to the threat of sudden and costly cyber attacks from highly sophisticated organizations. SAP’s comprehensive GRC and security solutions portfolio offers powerful tools for encryption, threat definition, identification, analysis, and protection in SAP and non-SAP systems.
For more on this topic, read Improving Security in the Aftermath of the World’s Largest Ransomware Attack and The Secret to Avoiding Hacks that Can Wipe Out Your Business.