How Can We Protect Against NotPetya Like Malware?

Today is the five-year anniversary of NotPetya. We asked the following question to InfoSec experts and below are the responses:

What do you think of five year anniversary of NotPetya?

Subscribe
Notify of
guest
3 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Roya.gordon
Roya.gordon , OT/IoT Security Research Evangelist
InfoSec Expert
June 28, 2022 2:17 pm

“Five years ago, the NotPetya cyberattack changed the way the world views ransomware attacks as a real cyber threat that could bring critical infrastructure to its knees.

Five years later, ransomware is still being used heavily by threat actors as a double-edged sword on their victims. On one side, it’s the typical financially motivated ransomware demand (coupled with data exfiltration and name and shame), and on the other side, it can be a destructive OT attack. So, with a ransomware attack on a critical infrastructure company, the data encryption can affect both business/IT (billing, communications, etc) and operations/OT (production, visibility into ICS, safety) which essentially leads to loss in revenue.

The scale of the NotPetya ransomware attack has also showcased that an attack on the software supply chain can have a rippling effect. However, the industry did not really “learn” from its mistakes as since 2017 we have seen severe software supply chain attacks like SolarWinds, Log4j etc.

Since that day, ransomware attacks have become more frequent and destructive. Not only is the ransom demand significantly higher, but the creation of the “name and shame” side added pressure on victims to pay the ransom. Despite this, negotiating with hackers will always be a losing game as even when the ransom is paid, threat actors still tend to disappear without decrypting the files or sell stolen data on the dark web.”

Last edited 5 months ago by roya.gordon
Brian.hymer
Brian.hymer , Solutions Architect
InfoSec Expert
June 28, 2022 2:09 pm

“NotPetya holds the crown as one of the most destructive cyberattacks in our history, costing over $10 billion in damages in 2017 alone. It spread around the globe and infected thousands of machines in less than 3 hours.

The uniqueness of the NotPetya malware was that, unlike its less successful predecessor (the Petya malware), it aimed to destroy rather than blackmail. The attackers tweaked the key (on the ransomware notification screen) so it was no longer valid, which means that NotPetya was just destructive malware. The attack acted as a wake-up call for many companies and highlighted that virus do not respect corporate, political, or geographic boundaries, meaning that your organisation could simply become collateral damage when a business partner is attacked. In fact, some of the biggest damages were suffered by shipping giant Maersk – 45,000 computers got encrypted, including all but one of their Active Directory Domain Controllers, and lucky for them because, as one Maersk IT Staffer mused; “If we can’t recover our domain controllers…we can’t recover anything.”

Maersk learned that the recovery of Active Directory is not only critical, but uniquely challenging. Organisations must ensure they have a dedicated AD recovery plan in place to get their business back up and running as quickly and securely as possible. Unlike conventional weapons, cyber weapons can essentially be picked up and repurposed by the enemy, and companies need to be prepared for recovery, by prioritising, planning, and testing at least annually, especially as there’s always the possibility that some vulnerabilities cannot be patched.”

Last edited 5 months ago by brian.hymer
Alex Hinchliffe
Alex Hinchliffe , Threat Intelligence Analyst
InfoSec Expert
June 28, 2022 2:01 pm

“NotPetya was notable for leveraging the EternalBlue vulnerability – the same used by WannaCry. It also included two additional attack vectors that were tried and tested from previous malware attacks to ensure the threat could spread even if MS17-010 was patched. It was of great concern to many, given the prevalence of the exploit used and its spreading capabilities.

Whilst worms were not common at the time of the NotPetya attack, we have subsequently seen attacks leveraging similar exploits and methods to spread. As if this was not already a challenge, organisations today use far more software than they did in 2017, making it more likely that there are vulnerabilities that could be exploited. Even before this period, patching vulnerabilities was high on the priority list; ever since it has been essential.

Nonetheless, patching everything across an organisation’s network at all times is impossible. Organisations should prioritise systems based on how critical they are to their operations and how under threat they are according to the latest threat intelligence.

NotPetya was not only another attack that highlighted the growing volume and complexity of cyberthreats, but it went further to erode trust in our digital age. NotPetya was delivered to victims in a supply chain attack leveraging legitimate software – with inherent trust – which often masks malicious activity within the benign, making it harder to detect. More recent examples of supply chain attacks include SolarStorm, which leveraged the legitimate Orion software from Solarwinds. 

Every time we read about another organisation that has been breached, we can all learn from that situation by sharing as much intelligence that can be gathered. So, as a security community, we can work together to maintain trust and security in today’s digital age. Five years on, NotPetya is an important reminder for all organisations to take a serious look at the people, process, and technology aspects of securing their organisation. Doing so is the basis of implementing a prevention-oriented, platform-based approach to stop attacks as early in the attack lifecycle as possible. 

The most effective strategy for stopping potential ransomware or destructive infection relies on preventing it from entering your organisation in the first place. If you receive an alert that an infection has occurred, it is likely already too late, as sensitive files can be encrypted or damaged within minutes from the initial compromise. However, if you follow these three steps, your organisation can avoid the fullscale impact of attacks like NotPetya: 
  

  1. Preparation: Having a solid backup and recovery strategy in place is the key to recovery if the worst were to happen.  
  2. Prevention: Segment your network, control access, stop known malware, and quickly detect and prevent unknown malware as it arises. For this reason, it’s important to implement a prevention-oriented, platform-based approach to stop attacks as early in the attack lifecycle as possible. 
  3. Response: Understand the context around the latest threats, their targeting, their Tactics Techniques and Procedures (TTPs), and the ability to quickly understand all indicators of compromise (IOCs) used by the malware. Have a plan in place for engaging incident responders and the appropriate law enforcement agencies, as well as a clear idea as to how you will operate your business in parallel to an ongoing cyber attack.”
Last edited 5 months ago by Alex Hinchliffe
3
0
Would love your thoughts, please comment.x
()
x