This attack seems at first glance to be very similar to the recent Wannacry attack that had such a serious effect on the NHS amongst other victims.
It seems to utilise similar code including some elements such as the EternalBlue exploit disclosed through Shadow Brokers. It also uses similar tactics to try and spread from one infected area to infect other connected systems. Where it appears to differ is in that it seems to be more about stealing credentials and using these than it is about making money for the criminals. It is being suggested that this is more likely to be the work of a nation state than a criminal gang although there is as yet no proof one way or another. The effect of this attack is significant, as it was for Wannacry, and it is also being suggested that this is the prime motive behind the attack. There is some debate as to whether this is a ransomware attack or a wiper virus attack. The difference between these two is, in the end, irrelevant since the effect is basically the same – no access to the files of the organisation.
The protection against these sorts of attacks and the way to prevent them having a serious effect on systems continues to be very straight forward.
- The first action is to patch the vulnerabilities as the patches are issued. It is interesting to note that where Petya attack encountered the Microsoft patch (MS17-010) which addressed the vulnerability it tried to utilise, Petya exfiltrated the credentials of the admin accounts instead for use elsewhere.
- The second action is to ensure there are ample backups notably off line as well as online in order to facilitate the recovery of files should the encryption be successful. Again, it is interesting to note that the “unlock” encryption key that in theory would be used by the Petya attackers to release the files when the ransom was paid did not actually appear to work or be effective.
- The third action is to ensure that those with admin privileges on systems, (notably those dealing with core or business critical systems), do not use their admin account for normal day-to-day activity such as emailing.
In a more holistic view, this attack emphasises again the need for the controls used to protect organisations’ systems against cyber threats must be effective and operating at a level of maturity that ensures they are agile in operation. The speed at which the configuration of system components can be updated to address particular attacks is critical. Maturity level 5 is required so controls are continually optimised through good service management practice.
APMG’s maturity assessment tool, CDCAT® would provide an evidence-based independent view of the maturity level of the most critical controls and can be completed within a few hours for any system.