Level 3 Communications

Dale Drew

Another Ransomware Attack? Welcome to The New Normal

What happens when you combine the structure and focus of organized crime with the sophistication and scale of a nation state? You have two global ransomware attacks unlike the industry has ever seen before. Welcome to the new normal.

On Wednesday, another global ransomware attack called Petya was unleashed, reportedly impacting over 12,000 computers, encrypting their hard drives and rendering them useless.

Petya used an exploit discovered by the NSA and released by the hacking group Shadow Brokers, where it encrypted data (this time, on hard drives rather than individual files) and demanded $300 USD in Bitcoin. Called EternalBlue, the exploit is a Server Message Block (SMB) exposure affecting primarily Windows machines, and provides the type of exposure Nation States strive for: an application that is well-entrenched within the internet and widely used by private companies and government agencies alike.

Unlike WannaCry, which was distributed by scanning for vulnerable internet systems running SMB on the public internet, Petya was distributed internally via a supply chain dependency through an accounting software application called MeDoc. The bad actors apparently added their exploit to a MeDoc update distribution which then made its way to customers, compromising company internal systems by leveraging the EternalBlue exploit. 

Many companies protected their public visibility to EternalBlue, but apparently not their internal susceptibility, which allowed Petya to spread quickly on a global scale. Petya was particularly destructive in nature since it encrypted the user’s Master Boot Record (MBR), locking users out of the system and rendering the entire computer unusable. 

WannaCry and Petya represent a new age of extortion-related attacks where organized crime outfits look for exploits that will give them the largest number of victims in the shortest amount of time. Instead of “targeted” ransomware, which operates on the hope of high percentage participation of pay from specific victims, this is more of a ransomware “spam” technique. It attempts to infect as many people as possible, so even with a smaller participation percentage, it pays more than concentrated targeted attacks. 

In addition, Petya also added the element of supply chain dependency – companies that accept updates from vendors directly into productions. While this is not the first major company compromise from a supply chain vendor attack (Target, etc.), it is something other cyber criminals will take note of.  

So, what can you do to protect yourself? Here are a few recommendations:

  • Back up your critical data.
  • Patch your systems as quickly as possible.
  • Segment your production and user systems to contain the spread of infections and compromises.
  • Educate your users on the dangers of phishing.
  • Accept new updates from your supply chain in a test environment first, and monitor that test environment for infections.
  • Ask your security vendors for specific signatures for the Shadow Brokers exploits, so you can determine when someone is trying to use them in your environment.
  • Do not pay ransomware. You rarely get your files back. More importantly, you are branded as someone who will pay.
  • Contact your ISP to help track and block attacks against your internet access points.

For more on how to protect your business from a ransomware attack, check out Dale’s blog “Ransomware: A Real Horror Story.”