On Saturday, it is the third anniversary of the NotPetya ransomware attack, one of the most devastating cyberattacks since the invention of the internet. It is thought that the total damages of the attack were in excess of $10 billion.
This is a superb insider account of what happened at Maersk with the notPetya attack in 2017. I would argue it is one of the most significant events in recent infosec history along with the Lulzsec rampage in 2011, and the Sony Pictures attack in 2014. This is a must read. https://t.co/2p8sATe7bG
— Jonathan Davis (@limbic) June 22, 2020
It’s important to remember the far-reaching impact of NotPetya would not have been possible if the “wormable” EternalBlue exploit vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol had not been publicly disclosed. Coupling together the vulnerability and a brute-force approach of infecting an accessible IP created the perfect conditions to make NotPetya infamous.
In the aftermath of NotPetya, ransomware is still thriving specifically within internal unmanaged networks that cannot patch or don’t have the visibility to identify vulnerable computers. Many organisations have minimised the attack surface of their network, which makes cross-network infection more difficult since there is no service accessible to exploit.
To cope with this adaptation, adversaries adopted a new approach to ransomware, decoupling the insertion point from the actual encryption and ransom act. In this approach, an APT attack is used to deliver the ransomware without revealing the vulnerability used to enter the network. This can enable the attacker to extend the shelf life of the vulnerability used, which is the expensive part in the business model of ransomware campaigns.
Three years later, the most important takeaway to understand regarding NotPetya is how the following conditions allowed it to wreak havoc:
Lack of patching – Still a major concern
Poor network segmentation – Has improved, but still has a way to go
Poor network visibility – Organisations must have visibility into which vulnerabilities are present within their network so they can fully understand their exposure. With “wormable” vulnerabilities, timing is key. You need to know as quickly as possible which devices are vulnerable, and based on your patching capabilities, you may decide to patch or block problematic traffic, or just take the risk and leave it unpatched.
Insufficient monitoring capabilities – Known when something is spreading in your network.
The foundation of the next NotPetya is still being created, so discovering and patching vulnerabilities before threat actors have the chance to exploit them on a large scale is essential for preventing a similar attack.
Three years ago, organisations across the world began to report disruption as a result of the NotPetya ransomware attack. This campaign impacted organisations in at least 65 countries, but in particular, Ukraine, which was the primary target. In the aftermath, Mandiant Threat Intelligence analysts discovered a link between these attacks and the notorious Russian state-sponsored Sandworm group, which had executed multiple wiper malware against Ukrainian entities since 2015. While the earliest attack variations had simply wiped the victims\’ machines; with NotPetya in 2017 the attackers stepped up their attacks by introducing a ransomware component. NotPetya changed the world\’s perception of ransomware and the potentially devastating impact it can have on businesses.
The NotPetya attack became an escalated threat and set a new precedent: it showed the Sandworm group’s acceptance of wider collateral damage beyond the immediate Ukrainian targets, as the malware spread globally. Sandworm remains one of the most active and advanced cyber threat groups. They have been active on several fronts including destructive attacks, interference in democratic processes, and cyber espionage.
What should organisations continue to learn from the NotPetya attack? NotPetya highlighted the need for resiliency, backup, and preparation, as well as the importance of being able to track and identify the perpetrators and understand their motives. In terms of what can be done to mitigate the effects of these attacks, primarily, it is essential that patches are made available quickly and that they are widely adopted. If a discovered vulnerability can be exploited, it is highly likely that threat groups will use it, and continue to do so until it is fixed, inflicting untold damage. The NotPetya attack could have been mitigated by ensuring these updates to software were regularly conducted, as well as thorough assessments of a given organisation’s security, especially through simulated cyber breaches.