Lessons Learned from the NotPetya Ransomware Attacks

By now, nearly every digital business in the world has caught wind of the “NotPetya” (or “Petya variant”) ransomware attack. The epidemic rocked more than 2,000 organizations across 65+ countries last week, hitting everything from advertising agencies to financial institutions to a huge number of major oil and gas companies. In all, NotPetya infected more than 12,000 devices worldwide, locking down hard drives and demanding a $300 bitcoin ransom payment. But as cybersecurity experts dig into this massive attack, they’re finding it’s more complex—and more dangerous—than many other ransomware scares.

Ransom was never the point

NATO now says it believes the NotPetya attack was launched by a state actor (or state-approved actor)—part of the disturbing and rapidly growing trend of state-sponsored cyberattacks. Cybersecurity experts say profit (collecting on the ransom) wasn’t the motive. Unlike most other ransomware attacks, the NotPetya strain lacked the built-in payment method, instead directing victims to an email address to send bitcoin payment—an email address which was strangely shut down by the attackers within a few days.

NotPetya was a power move: all about destroying data and disrupting business

Instead of profit, experts say NotPetya was a show of power from state-sponsored hackers. The attack sent shock waves around the world by locking down the critical data that makes the digital business world go round. The attack was also much more virulent than typical ransomware. The UK National Cyber Security Centre highlighted several unique features, including how NotPetya seeks out passwords on an infected computer to gain access to other applications and systems, and exploits administrator access privileges to quickly spread the infection across a network.

NotPetya is not ransomware—it’s a “wiper”

In a blog post last Wednesday, top cybersecurity firm Kaspersky Labs concluded that After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.” In other words, NotPetya is not ransomware, but rather a “wiper”—a type of malware designed specifically to destroy data to sabotage or disrupt business operations.

Regardless of what you call it, the NotPetya attack will (and should) dramatically impact how organizations approach data security and business continuity.

Takeaway #1: Ransomware is (state-sponsored) big business

We’ve been talking about the increasing sophistication of the ransomware black market for a few years now. But ransomware is now being pulled into the related and growing trend of state-sponsored cyberattacks. As we mentioned in our 2017 DBIR recap, almost 1 in 5 attacks (18%) in the last year involved state-affiliated actors. Organizations of all types—not just government entities—will increasingly be drawn into international cyberconflicts and/or become collateral damage in this new kind of cyberwarfare.

Takeaway #2: It never pays to pay the ransom

In this case, it’s clear that NotPetya was never set up to give victims their data back. Even if they paid ten times the asking price, the malware lacked the ability to decrypt the hostage data. However, in the chaotic moments, hours and days following the attack, most organizations didn’t know that. For those that didn’t have reliable data backups, paying the ransom seemed like their best option. But—even with ransomware strains known to allow decryption—why would you ever trust criminals to hold up their end of the bargain? And if they do decrypt your data, what’s stopping them from attacking again? There’s no honor among thieves, and it never makes sense to pay the ransom.

Takeaway #3: Protect your business—protect your data

Ultimately, none of this has to be so scary. Whether you call it ransomware, malware, a wiper, or the data-stealing boogeyman, there’s no good reason an organization should find itself paralyzed by this kind of attack. With a reliable and comprehensive endpoint data backup solution in place, you can be certain that you’ll never truly lose your data—and you’ll never even think about paying the ransom. But you also need to be certain that your endpoint backup solution can deliver the fastest possible recovery. It should be purpose-built for faster device restores and ready to scale, in case an attack spreads to many users across your organization. Because every hour of downtime hurts, you need to be certain you can get back to business as usual in minutes—not days.

Want a deeper understanding of how and why ransomware is so quickly becoming a highly sophisticated business? Want to learn how you can protect, prepare and recover fast—no matter what happens? Read the Code42 white paper, The Business of Ransomware: What Every CXO Should Know.

The business of ransomware what every CXO should know

Leave a Reply

Your email address will not be published. Required fields are marked *