When the news of NotPetya broke on June 27, the world was still recovering from WannaCry. As we shifted our attention to NotPetya, it appeared to be something familiar, something we are all slowly learning how to cope with – ransomware. But after a day or two, we realized it was something far worse. NotPetya is not traditional ransomware – it’s what experts are calling a “wiper” or “wiperware” – and it can cause even more damage. For most infected with this devastating malware, the odds of recovering your files aren’t in your favor.
In a stroke of luck for U.S. businesses, this attack was mostly contained to organizations in Eastern Europe. But there is still a lot to learn from the havoc wreaked.
Wiperware like NotPetya has one goal: destruction. With no obvious financial incentive for the attackers, wiperware is pretty rare. Still, it holds an appeal for hacktivists, troublemakers, and certain cyber warfare groups. While the motivation behind NotPetya hasn’t been confirmed, the objective of NotPetya is obvious.
NotPetya was designed to spread quickly throughout an organization, using infection points. NotPetya has primarily hit users of M.E.Doc, a tax-filing application used by most businesses in Ukraine. The malware prompts users to install an update to the software and then, once it has control of the device, steals administrator credentials so it can then spread across a network.
Once it gains access, NotPetya overwrites a disk’s master boot file, making it impossible to restore the disk even if victims were able to decrypt it. It’s clear that NotPetya was designed with the intention of causing serious, irreparable damage.
Every business needs to take proactive measures to be aware of these attacks and protect against them.
There are a variety of technical and operational measures you can put in place to help protect your business from wiperware and limit its impact in the event of an attack. The 11 outlined below are commonsense, proactive measures you can begin putting in place now – before the next NotPetya strikes.
We know you’re hounded with this concept every day, but it’s shocking how low training usually is on to-do lists. We like to divide training into two major categories when it comes to malware: cyber awareness training for general employees and technical cyber skills training for IT and security professionals.
With NotPetya, backups are the only way infected businesses are going to be able to recover. Important data needs to be backed up to data centers regularly to ensure this data can be accessed in the event of an attack or disruption. Backups need to be maintained and tested consistently to ensure critical data is backing up to the data centers smoothly and securely. By backing up business-critical data, a wiperware attack could potentially have a very small effect on your business, as you’ll be able to access your most important data and keep operations going.
Beyond training your employees, you need to test them. Phishing is a very common attack vector, so launching an internal phishing campaign can help you identify where your employees need training. Phishing campaigns should be designed to test employees at every level – from admins to the CEO – and help identify breakdowns in processes and gaps in awareness. These campaigns should be followed by more rigorous training once you’ve identified areas of weakness. To help employees better identify malicious emails, your IT team can set up email banners that alert recipients when an email comes from an outside source.
Traditional antivirus software is backward-looking, meaning the software is attempting to stop known viruses and malware (based on vast sets of threat definitions). When a new virus becomes known to the AV manufacturer, it is added to the platform. Heuristic detection solutions take a different approach – executing unknown commands and programs in a virtual environment, and simulating the effects it would have on your organization. In this method, heuristic-based malware detection is often able to identify and block previously unknown strains of malware, and offer your organization an even greater level of security.
Frequently, malware comes in the form of a Word or PDF document or Excel spreadsheet attachment on an email. Although social engineering and training exercises can help your employees identify suspicious emails, some emails are going to slip by and these attachments can do serious damage. How each company should handle email attachments from external parties varies by business type, but every organization should carefully consider ways they can analyze these emails without causing too much disruption to business operations. For some, it may be scanning suspicious attachments and sending notifications to IT, and for others, it may be limiting the sending and receiving of emails with certain types of attachments. Email attachment analysis can help you better understand threat trends (like phishing tactics) specific to your organizations so you can better educate your employees and prevent malicious emails from entering your organization.
As evidenced by NotPetya, exploits like EternalBlue (which was also used by WannaCry) continue to impact companies that fail to deploy patches to their users. Organizations should have controls in place that require the regular review of security patches and installation of updates for software, hardware, network devices, applications, and virtual machines. This ensures your company is informed about the latest updates, the tools you rely on are secure, and there is a reliable log of the changes.
NotPetya makes a strong case for having stringent least-privilege access policies. As we mentioned earlier, NotPetya steals admin credentials from one device and then uses them to spread across an entire organization in minutes. Companies should take the time to set up policies that ensure that employees’ access to networks and systems are limited to what their jobs actually require. With so many tools available that allow companies to manage access policies, provide employees with temporary access to systems, and easily review who has access to what, there isn’t really any excuse in this area. Least privilege is key to minimizing the impact a malicious attack can have.
Like least-privilege access, smart network segmentation can play a big role in limiting the reach of a malware attack. Your network should be segmented in a way that isolates and protects critical data and systems from the rest of the network, limiting your exposure to a single segmented zone in the event of a breach (or at least significantly slowing its spread). Monitor and maintain your network segmentation regularly, restricting access to sensitive segments based on real business needs (again, following the principle of least privilege).
The problem with incident response plans is that if you don’t have any incidents, your plan is probably being neglected. Then, when an infection like NotPetya hits, you struggle because the tools, systems, and response roles in the plan are out of date. Incident response plans need to be reviewed and practiced regularly. Your cybersecurity, IT, and leadership teams should know their roles, and plans for restoring business-critical data should be thoroughly documented and regularly rehearsed.
NotPetya entered into organizations through backdoors on the third-party app M.E.Doc, which then disclosed that its servers had not been updated since 2013. But in this day and age, every company is reliant on third-party applications, tools, and systems to manage their businesses. This means that you need to build comprehensive risk profiles for each of your vendors so you have a complete picture of the risks they can pose to your organization and respond accordingly. This typically starts with performing robust third-party due diligence around security and privacy and establishing strong communication with your vendors.
We’ve touched on this throughout this post, but non-stop monitoring and regular analysis of your security is critical. You can have top-of-the-line scanning or access management tools in place, but if you’re not taking the time to analyze the data they’re giving you, it’s all for nothing. Your security and IT teams need to continuously monitor your networks, systems, applications, backups, and test their defenses. Without regular analysis, detecting and responding to an attack and minimizing its impact on your organization becomes nearly impossible.
Nobody can be absolutely certain where the next global attack will come from, or whether it will be ransomware, wiperware, or something we’ve never seen before. But implementing best-practice security measures now will help ensure that the impact to your company is minimal, and your employees, customers, and reputation will be protected.
For more information on protecting your company from ransomware, wipers, and other threats, talk to one of our cyber security experts.