By Jacob Denton, chief information security officer, Mosaic451.
Unless your security team has been living in a cave in one of the last remaining places on the planet where you can still unplug, you have certainly heard about the Petya and NotPetya ransomware attacks and the chaos caused by them. Petya was a somewhat “typical” ransomware attack in 2016: It encrypted the master boot record of infected computers and asked for ransom in the form of Bitcoin. But NotPetya, a potentially state-sponsored attack against Ukraine, was more similar to WannaCry, which occurred shortly before in 2017. In addition to ransoming companies to pay the hackers in Bitcoin, NotPetya also took advantage of the EternalBlue exploit and was a “worm” that could self-propagate, like WannaCry.
What made NotPetya unique was its intrusion into MeDoc, a Ukrainian tax and accounting software package. About 80 percent of Ukrainian businesses used this software at the time of the attack. The NotPetya hackers employed an innovative strategy: They put in a slightly different version of a file into MeDoc’s software updates.
Since MeDoc was so widely used throughout the Ukrainian business community, the hackers started spreading corrupted versions of MeDoc software in April. By June, undetected, they were able to insert the NotPetya ransomware. And since it was a worm, NotPetya was able to spread rapidly. It was a lot worse than Petya in its scope: It not only encrypted the master boot record, it also encrypted other important files, making the damage to companies’ hard drives even more serious.
Cyber security firm Cybereason reports that NotPetya cost companies approximately $892.5 million in lost revenue. While it first hit Ukraine, it hurt businesses worldwide, including FedEx, Merck, and Reckitt Benckiser.
What lessons have we learned?
First, that hackers have gone way past spamming naive end users. The NotPetya attack was particularly troubling because it was a “clickless” attack that didn’t need to rely on end users for access. It also took advantage of software updates, a holy grail of commonplace cyber security.
Thankfully, there are some precautions cyber professionals can heed from this hack. According to Johns Hopkins University Computer Science Professor Matthew Green, one limited action developers could do to help “prevent their software updates from being corrupted” is to “co-design.” This would mandate that anyone trying to add new code to an application would need to sign with a cryptographic key that cannot be forged. For example, MeDoc did not have co-designing, so hackers were able to alter code in the software update.