Petya ramsomware – the new normal?

Simon Collins Director | Cybersecurity EY Advisory reacts to 'Petya' ransomware attack:


“For the second time in as many months we are seeing a large-scale cyber-attack campaign which is impacting businesses globally. Leaving the finer technical details aside, it is similar to the WannaCry attack widely reported in May.

Ransomware has been around for decades, only gaining prominence in the last 5 or so years as its impact has been felt by more victims globally. It’s a relatively straight-forward form of extortion in that a computer typically becomes infected due to the user opening a malicious attachment in an email or in this case, visiting a website which has been compromised and loaded with the malware. The malware proceeds to disable the computer and/or encrypt the users data (and any data on other computers which can be legitimately accessed by the user) and asks the user for a ransom payment in Bitcoin to give them access to their data again. While it appears that the primary intent of the attackers was to simply make relatively small amounts of money ($300-900) from a large number of victims, it’s likely that other motives may be uncovered in the future.

As with the WannaCry malware, the Petya ransomware also has the ability to automatically spread to computers within reach, without requiring any interaction from legitimate users. In this way it is more like self-propagating malware (commonly known as ‘worms’), which makes it a far bigger issue for companies and other organisations who rely on large networks of interconnected systems (as opposed to personal/home users whose networks are smaller and who can patch more easily).

In line with the majority of malware, the Peyta malware exploits at least one already known vulnerability (for which a patch has been released), but also combines a variety of other techniques to propagate itself and infect other machines within targeted networks. So, while it would be very helpful for organisations to have applied the patch released by Microsoft back in March, it would not necessarily have stopped this attack.

The advice on how to protect yourself remains the same as ever:

  • Learn to recognise phishing emails: don’t click on web links or open attachments contained in them – roll-out a continuous user awareness programme, ensuring users are trained at induction and at regular intervals so they can recognise and report on potential attacks.
  • Stay up-to-date with vendor fixes for whatever software you are using by applying patches regularly – ensure an organisation-wide vulnerability management programme to identify these vulnerabilities regularly and manage them through to when they are remediated.
  • Make regular backups of your important data, store them safely and test that they work.
  • Use a firewall to keep your computer protected from the Internet – and in this and the WannaCry case, disable access to the SMD and RDP protocols, at a minimum for computers directly connected to the Internet, and also consider for all internal computers.
  • Ensure your Microsoft Windows account is a user-level account, not a privileged administrator one, as well as ensuring that users only have access to the data they need to, and nothing else.
  • Disable any features or network services you don’t need on your computer.

Given few victims pay up, the disruption caused by these kinds of attacks tends to be exponentially more impactful than the return for the attackers. It typically costs hundreds of millions of dollars for thousands of organisations impacted globally to respond (especially if they have been breached), while latest reports are that this current attack has netted the attackers $7,000, with the previous WannaCry attack only earning them $75,000.

Organisations impacted by this or the previous WannaCry attack should take it as a final wake-up call that cyber-attackers are not going away and basic cybersecurity measures can significantly reduce the risks of becoming a victim in the first place. Focus on educating your users to spot and prevent attacks (by not clicking where they shouldn’t) whilst also patching known vulnerabilities and making changes to how systems are configured in order to defend against the various techniques this current attack leverages.

We are in the very early stages of learning about this attack, particularly the finer technical details of how it is executed and therefore how best to respond. EY will continue to provide detailed technical updates as our research teams uncover further details of the attack”.

Article Published: 30/06/2017