What can we learn from Petya attack?
A ransomware attack dubbed Petya has crippled a number of organisations in Europe and the US, in the second major ransomware attach in as many months.
This follows the attack by ransomware WannaCry in early May, which affected organisations such as Britain’s National Health Service (NHS).
Much like WannaCry, Petya spreads rapidly through networks that use Microsoft Windows, and infected computers display a message demanding a Bitcoin ransom of$300, with confirmation of payment to be sent to a specific email address. However, that email address has been shut down by the email provider, which means individuals and organisations who have complied with the demands for payment have no way of reaching the attacker for the decryption key to regain access to their computers.
The rapid pace of this new Petya ransomware attack points at another worm that can spread from computer to computer by itself, according to Steven Malone, Director of Security Product Management at Mimecast. He added that this new outbreak highlights the disruptive power of ransomware like never before. Simply by encrypting and blocking access to files, critical national services and valuable business data can be damaged.
“Many commentators think WannaCry came from hackers in Russia, perhaps as an experiment that escaped early. Therefore it’s not too surprising that Ukraine’s critical national infrastructure has been crippled today while other firms in Europe may have been hit in the crossfire. As with the early stages of the Wannacry outbreak, the bitcoin wallet associated with this ransomware is not seeing high volumes of payments. Six people globally have currently paid the ransom, suggesting this will not be a financially-successful attack,” added Malone.
He said that a cyber-resilience strategy that acknowledges that attacks are likely to continue, and will sometimes be successful, is required. Furthermore, defence-in-depth security and continuity plans are needed to keep critical services running every time they are attacked.
Malone added that it is advisable that organisations do not pay the ransom to regain access to their applications and data because here is no guarantee this will unlock files and further motivates and finances attackers to expand their ransomware campaigns.
“Email has traditionally been the primary attack route for ransomware. Attackers often send Microsoft Office documents with malicious macros that download and instal malware. This includes Word, Excel, PowerPoint and also PDFs. Clever social engineering will trick employees into enabling the macros and delivering the ransomware payload,” he said.
The only reliable defence against the recent Petya Ransomware attacks, is backup, according to Nigel Tozer, Solutions Marketing Director, Commvault. “Clearly the malicious forces behind this and other recent attacks, continue to be one step ahead of threat detection software, so if your systems and data is held to ransom the only true means of recovery is to be able to revert back to data from the last backup before the infection. When files are encrypted and corrupted by a ransomware attack, cloud sync and share tools aren’t something you can rely on either, because the sync facility means cloud files are as infected as their originals. The other issue is that these cloud services, especially free or those targeted at consumers, typically do not cover all of your data and may not always have retention policies that pre-date the attack. The best option, to insure against data-mincing malware, is an in-house centrally managed backup solution. Whilst reverting to the backup prior to the infection might mean losing a limited amount of data, it is nominal compared to the impact of losing all your data permanently."
Malone concurred, adding that preventive measures alone cannot keep up with the fast-evolving nature of ransomware attacks and as this attack highlights, there are many ways for an infection to enter an organisation. “It’s vital you regularly backup critical data and ensure that ransomware cannot spread to backup files. Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your back-up window is long enough to go back before any infection begins.
He added that backup and recovery measures only work after an attack, and cost organisations in downtime and IT resources dealing with the attack and aftermath; and organisation must be able to continue to operate during the infection period and recover quickly once the infection has been removed.