We are now living in the age of the cyber plague. While much of the world is still scrambling to patch systems and clean up from the fallout of the WannaCry ransomware attack, a new threat emerged. The (not)Petya ransomware attack leverages the same Eternal Blue exploit developed by the NSA and leaked by hackers that call themselves the Shadow Brokers, but the new variant is smarter and more insidious.
(Not)Petya is a morphed version of WannaCry. It relies primarily on Eternal Blue just as WannaCry did. However, it has learned a few new tricks.
- No Kill Switch: For starters, there doesn’t appear to be a kill switch URL, so (Not)Petya can’t be shut down simply by purchasing a domain name.
- Lateral Movement: The new attack also includes additional exploits it can use to move laterally through the network and infect other devices.
- New Unmanaged Devices: It was reported the attack hit Point of Sales and ATMs, in addition to the laptops and desktops.
There is no doubt the timing was terrible. Organizations are up to their necks patching against Eternal Blue. Unfortunately, it only takes one vulnerable machine for (Not)Petya ransomware to infiltrate the network. The vulnerable device can conceivably be infected, and then infect other patched systems across the network using additional exploits‚ which is why it has spread so effectively across organizations.
There are already hundreds of analyses and post mortems, and there will be hundreds more to come. There is the question if this was cyber criminals or nation state actors. The specific exploits involved and the tactics used by this attack are worthwhile to investigate and understand. But the most important thing you need to know is not why these attacks happened‚ but that they did, and they will happen again.
The underlying exploits are not necessarily that sophisticated or special. What makes the attacks dangerous is that attackers are unrelenting. The attacks will morph and evolve. Faster than you can recover from the previous attack, a new version will come at you. In other words, these threats are not going away and patching alone will not work.
The reality is that network defenses are relatively weak. Traditional security and applying patches are both necessary, but many unmanged devices connected to the network may never be properly patched or updated.
There is a more effective way to defend against this cyber plague. Here are three things you can do to prepare yourself for the next ransomware attack.
1. Device Discovery and Risk Assessment
The first step in effectively defending the devices and assets on your network is knowing what they are. You need to have an accurate inventory of the devices connected to your network, as well as the operating systems and applications running on them. This way you can assess the potential risk associated.
2. Shore Up Your Defenses
Implementing some security best practices can go a long way to proactively limit the potential damage an attack can inflict. You should segment the devices on your network and restrict connectivity in a logical manner so that can prevent the rampant spread of an attack without impeding legitimate network traffic or affecting productivity.
3. Detect and Quarantine
The next attack will come. There will be another Petya ransomware attack. It’ a matter of when, not if. Even if you’ve effectively limited connectivity between devices on different segments of the network, you need to be able to identify suspicious device activity and lateral movement across your network. Anomalous activity can indicate a compromised device, and you need to be able to quarantine any such devices to prevent an attack from spreading.
The sky is not falling. But the simple fact is that the threat landscape is constantly evolving. As long as you recognize that the attack vectors are changing, and take steps to adapt and effectively defend your network, you can protect yourself against the next ransomware attack. And the ones after that as well.