By Jacob Denton, chief information security officer, Mosaic451.
Unless your security team has been living in a cave in one of the last remaining places on the planet where you can still unplug, you have certainly heard about the Petya and NotPetya ransomware attacks and the chaos caused by them. Petya was a somewhat “typical” ransomware attack in 2016: It encrypted the master boot record of infected computers and asked for ransom in the form of Bitcoin. But NotPetya, a potentially state-sponsored attack against Ukraine, was more similar to WannaCry, which occurred shortly before in 2017. In addition to ransoming companies to pay the hackers in Bitcoin, NotPetya also took advantage of the EternalBlue exploit and was a “worm” that could self-propagate, like WannaCry.
What made NotPetya unique was its intrusion into MeDoc, a Ukrainian tax and accounting software package. About 80 percent of Ukrainian businesses used this software at the time of the attack. The NotPetya hackers employed an innovative strategy: They put in a slightly different version of a file into MeDoc’s software updates.
Since MeDoc was so widely used throughout the Ukrainian business community, the hackers started spreading corrupted versions of MeDoc software in April. By June, undetected, they were able to insert the NotPetya ransomware. And since it was a worm, NotPetya was able to spread rapidly. It was a lot worse than Petya in its scope: It not only encrypted the master boot record, it also encrypted other important files, making the damage to companies’ hard drives even more serious.
Cyber security firm Cybereason reports that NotPetya cost companies approximately $892.5 million in lost revenue. While it first hit Ukraine, it hurt businesses worldwide, including FedEx, Merck, and Reckitt Benckiser.
What lessons have we learned?
First, that hackers have gone way past spamming naive end users. The NotPetya attack was particularly troubling because it was a “clickless” attack that didn’t need to rely on end users for access. It also took advantage of software updates, a holy grail of commonplace cyber security.
Thankfully, there are some precautions cyber professionals can heed from this hack. According to Johns Hopkins University Computer Science Professor Matthew Green, one limited action developers could do to help “prevent their software updates from being corrupted” is to “co-design.” This would mandate that anyone trying to add new code to an application would need to sign with a cryptographic key that cannot be forged. For example, MeDoc did not have co-designing, so hackers were able to alter code in the software update.
Green also recommends that system administrators segment their networks as much as possible. In particular, he suggests that administrators should limit the abilities of whitelisted software as well.
Another tactic might be to identify and limit access to open ports and implement tools that can spot malicious activity both on the network and the host. Additionally, tell IT staff to disable unused tools and modify their endpoint protection so that it doesn’t depend on just whitelisting or scanning files: Hacked system tools can easily get past both of these methods.
Beyond the above mentioned steps, a simple cyber rule is worth mentioning in regards to ransomware: Keep up with your systems’ patches. That said, Charles Eagan, Blackberry’s Chief Technology Officer, believes that cyber technology needs to find methods to patch systems in a continuous, synchronous way. This is crucial, particularly for industries such as critical infrastructure that must avoid downtime at all costs. No wonder so many of these companies avoid the current manner of patching, which is asynchronous and involves a download to run and restart machines.
In short, IT security professionals need to take extra measures to protect whitelisted software, disable unused tools, and keep up with patches. Hopefully soon, cyber technologists will also find a better way to patch systems in a continuous manner. Otherwise, there could be a dangerous number of NotPetya-like attacks in the near future.