By Byron V. Acohido
The go-forward implications of the Petya “wiper” attack, coming on the heels of the WannaCry ransomware worm, are profound.
The cybersecurity community has moved quickly to blunt variants of both WannaCry and Petya. But this is only the beginning. Here is a summary of takeaways, with a few dots connected.
Related article: Companies, Uncle Sam hit snooze on WannaCry, Petya
Ukraine wild card. Petya hit with a vengeance locking up business systems globally on June 27; the attackers demanded a $300 payment in Bitcoin for a decryption key. Ukraine bore the brunt; its central bank, state telecom, metro and airport took broadsides. Danish shipping giant Maersk, Russian oil company Rosneft, U.S. drug company Merck and the U.S. law firm DLA Piper were also disrupted.
There is now speculation that the extortion attempt was a red herring, meant to disguise a strategic fence-testing of Ukraine’s critical infrastructure, presumably by Russia. Lending credence to this theory is the fact that only about $10,000 in ransom was paid via a rudimentary payment process.
Also, as noted by Travis Farral, director of security strategy for threat intelligence vendor Anomali, the attack was launched on the eve of Ukraine’s Constitution Day and leveraged a malware family mockingly using the nickname of Ukrainian President Petro Poroshenko.
“Intelligence is leaning towards the idea that the impact the attack had on Ukraine was a causal effect, and entities affiliated with the campaign were caught in the crossfire of destruction or a diversion rather than ransom collection,” Farral says. “The intelligence is indicating this might be more than just a ransomware attack.”
New wrinkles. Researchers at Cisco Talos determined that Petya initially spread via a malicious software update for a tax accounting program, called Medoc, used by Ukraine government agencies. Shortly thereafter, versions of Petya quickly began to spread globally via phishing emails enticing the recipient to click open a viral Microsoft Word document.
Just one infection could trigger thousands of others. The malware automatically searched out the user’s credentials, then tried that username and password on other systems, installing a copy of itself on any computer it could log on to. That meant even machines current on all security patches could be infected. David Kennedy, a researcher at TrustedSec, reported Petya spread to 5,000 computers in 10 minutes at one organization.
Another new wrinkle: it appears that the designers of Petya may have relied on licensees to help spread the big attack. According to Ido Wulkan, intelligence team leader at IntSights, a threat actor doing business as Janus Cybercrime Solutions has been running an affiliate program since late 2016 which recruits unskilled hackers to distribute variants of Petya ransomware – and earn 85% of the ransom payments.
Best defenses. The NSA’s cyber weapons are designed to take advantage of obscure software coding flaws. So keeping all critical systems current with security patches is vital. In practice, software patching is tedious and expensive. WannaCry and Petya demonstrated, once again, how all too many organizations continue to do it piecemeal, accepting a profound risk.
“Most organizational leaders refuse to support their internal teams when asked for procedural changes or proper funding for cybersecurity defenses,” says Paul Innella, CEO of cybersecurity consultancy TDI. “Moreover, we’re just now providing tangible reports to the board level, meaning its level of import is still not equal to numerous other reporting requirements.”
Given that software patching remains a hard sell, one would think disaster recovery would rise to the fore. Paul Vixie, CEO of FarSight Security, argues that the only “proven defense” against modern day ransomware campaigns is to back up all mission-critical data and systems comprehensively and often.
“WannaCry and Petya are not the end of an era, but rather the beginning of one,” Vixie says.
“We cannot keep up with the complexity of our online systems. We must start listening to our technical experts. They are telling us that everything is broken. We have to take that to heart. Patch every day. Back up every day.”
Sadly, folks, it seems clear that we are still in a nascent phase of seeing innovative cyber attacks launched, at scale, against business networks using the NSA’s cyber weapons. It’s time for company decision makers to take this very, very seriously.
