Post-Petya – it is painful, but manageable

Maureen Kaplan
Head of Sales, Vodafone Enterprise Security

In the wake of two high-impact, global ransomware attacks, WannaCry and Petya, there are some fundamental steps we can all take to minimise the risk of falling prey to malware in general, be it ransomware or other forms of cybercrime. We have captured them below as the 6 security essentials.

What happened with Petya?

A global outbreak of ransomware called Petya began spreading on June 27th 2017, affecting businesses across the globe – initial cases were reported in Ukraine, and it rapidly spread to at least 65 countries. Similar to WannaCry in May 2017, Petya encrypts a computer and demands a $300 ransom before unlocking it. It is a particularly persistent and aggressive form of ransomware which spreads through vulnerabilities in unpatched versions of Windows - the same flaws that allowed WannaCry to spread, causing significant business disruption. Indications are that this attack focused on business disruption rather than financial gain, since wiping of files on systems was a typical outcome.

Why and how does ransomware strike?

Ransomware is a form of cybercrime that has emerged over the last five years and commonly includes tricking an individual to open an email and clicking links within. These actions allow cyber criminals to automatically download software that encrypts files, effectively paralysing an organisation until a ransom is paid to release the software key needed to unencrypt the files.

Ransomware attacks are now common, but until recently have rarely been coupled with an exploit that allows the malware to spread as a network worm. The WannaCry attacks demonstrated that many Windows systems had not been patched for this vulnerability. The spread of Petya used this same vulnerability, indicating that many organisations did not fully update their systems, and may remain vulnerable.

What’s different about Petya?

The attack appears to have been embedded in a software application and executed upon a software update, rather than a user action of clicking a link. Petya works by modifying the Windows Master Boot Record (MBR), which causes the system to crash. When an employee reboots their computer, the modified MBR prevents Windows from loading, and instead displays a ransom note demanding payment from the victim. Because of Petya’s ‘worm capabilities’, it can move laterally across networks. This means that once the ransomware has entered a company’s network, it is able to spread without the need for further users to open corrupt emails.

So an entire business can be impacted from only one Petya-infected machine.

6 Cyber security essentials to be cyber ready

As evidenced by the scale of the attack and the speed of its growth, all organisations are potentially at risk from Petya. Organisations with (1) extensive legacy network systems, (2) weak user awareness training and (3) limited security monitoring and response should consider themselves at high risk.

1. Assess the scope of impact of the attack across your business. A Crisis Response Plan will ensure you are notified and take immediate action across your systems and users. Importantly, this will provide a framework to communicate effectively to your internal and external audiences.

2. Take immediate action. Act quickly to focus on critical systems and implement security patches related to the known vulnerabilities that underpin the attack. This includes ensuring that all non-supported Microsoft Windows products are upgraded to new(er) supported versions.

3. Review existing patch management systems and ensure proper processes are in place. Make sure that systems with critical data are maintained to current levels of security patching.

4. Use security solutions across the business. This includes protecting networks and endpoints, anti-virus, firewall and intrusion detection and prevention systems. All solutions must be kept up-to-date across the entire business.

5. Ensure effective back-up processes are a standard and continuous process, in which critical data is backed up and regular fire drill exercises are conducted to check the validity of backups and the speed of business recovery. This includes confirming that effective historic versioning of the backups themselves are held, because sleeping ransomware agents may already be embedded in the backup, which could render the backup useless.

6. Educate your workforce. It’s critical to run proper employee awareness programmes, making people aware of what they should look out for in emails, that they know how important this is and what to do if they are at all concerned.

It is painful … but manageable

Put simply, being cyber-ready is a result of effective management of people, processes and technology to minimise your risk profile. We need to get to a place where cyber security is embedded in the culture of businesses.

Network segmentation with appropriate security technology in place, is a critical step. With Petya, an initial attack spread laterally throughout a network after a software update infection. So by placing security appliances within the network to segment off critical systems, legacy environments and proprietary data sources, a worm traversing the network would have been stopped and damage minimised.

A key lesson from WannaCry was the need to test data recovery strategy. If you have set up a backup program and have it automatically executing for years, it is a painful lesson to find out that a corrupted backup has prevented appropriate data recovery because a periodic (quarterly) test was not performed.

By focusing on the essential security components and actively monitoring security events, organisations can minimize the impact of attacks.

Cyber security is a key concern for organisations of all sizes. Protecting devices, networks, data and apps is an essential component of doing business. Vodafone provides security products and services to businesses of all sizes, helping you secure your business anywhere because we are everywhere. We are trusted by organisations globally, including utilities, financial institutions and government agencies. For more cyber security insights, you can find us on LinkedIn.