“NotPetya”
Table of Contents
Introduction
iii. Credential Theft
iv. Encryption.
Global Reach and Affected Industries
Lessons Learned and Prevention Strategies
Future Outlook and Evolving Threat Landscape
Technical aspect of the attack of Ukraine
Target and motivation of the attack
Introduction
NotPetya was a destructive ransomware that emerged in 2017. It targeted Windows systems and caused widespread disruption. Though it initially appeared to be a ransomware attack, its true purpose was to cause damage rather than make money. NotPetya spread rapidly through networks, exploiting vulnerabilities and stolen credentials. It primarily targeted businesses and organizations, particularly in Ukraine. The malware caused significant operational disruptions and financial losses for many affected organizations. It is believed to have originated from Russia, although the exact motives and origins remain disputed. NotPetya served as a reminder of the need for strong cybersecurity measures and proactive strategies to protect against highly destructive malware.
Background
The NotPetya cyberattack, also known as ExPetr, occurred on June 27, 2017, and had a significant global impact. It targeted organizations across various industries, affecting both public and private sectors. Originating in Ukraine, the attack quickly spread to other countries, including Russia, the United States, the United Kingdom, and many European nations, disrupting critical infrastructure such as power grids, transportation systems, and financial institutions. Initially disguised as a variant of the Petya ransomware, NotPetya proved to be far more destructive and had different operational characteristics. Its primary objective appeared to be disruption rather than financial gain, setting it apart from traditional ransomware.
NotPetya utilized various techniques and tools to rapidly propagate within networks, exploiting vulnerabilities in Microsoft Windows systems, including the EternalBlue and EternalRomance exploits leaked by the group “The Shadow Brokers” in 2017. These exploits targeted weaknesses in the Server Message Block (SMB) protocol, enabling lateral movement and infecting interconnected systems. Even weeks after the initial outbreak, NotPetya continued to impact companies across multiple industries. Researchers discovered that NotPetya and Petya are unrelated, with the analyzed NotPetya binary identified as a variant of the “GoldenEye” Petya variant. However, it was not directly modified from the GoldenEye source but rather manually patched. This ransomware was potentially more devastating than WannaCry as it could spread without relying on vulnerable systems. Although patching was crucial to prevent its spread via the EternalBlue/EternalRomance exploits, NotPetya also harvested SMB and user credentials from infected hosts to propagate within networks. Therefore, just one infected machine within an organization could compromise the entire network.
NotPetya had a significant impact, causing severe disruptions and financial losses across various sectors, including banking, healthcare, manufacturing, logistics, and government entities. The attack exposed vulnerabilities in critical infrastructure, emphasizing the importance of robust cybersecurity measures in today’s digital world. The attribution of NotPetya remains under investigation and debate, with potential links to state-sponsored actors like the Russian military intelligence agency GRU. However, no definitive attribution has been officially confirmed.
Objective of the report:
i. Provide the background on the NotPetya cyberattack,
ii. Describe the combination of Notpetya.
iii. Present case study of Ukraine
Development and Origins:
NotPetya, a highly destructive ransomware, emerged as a modified version of the Petya ransomware. It leveraged two well-known exploits, EternalBlue and Mimikatz, targeting vulnerabilities in older versions of Windows.
EternalBlue, a powerful exploit, was originally developed by the U.S. National Security Agency (NSA) but was later disclosed in a significant data breach in early 2017. This exploit allowed unauthorized remote access to systems, enabling attackers to execute their own code. It became a widely sought-after tool by malicious actors due to its ability to penetrate systems and propagate rapidly. Mimikatz, on the other hand, was a proof-of-concept exploit publicly revealed by French security researcher Benjamin Delpy in 2011. This exploit demonstrated that user passwords stored in Windows machines’ memory could be extracted and used for various attacks, either manually or in automated, multi-user/multi-machine scenarios.
By combining the capabilities of EternalBlue and Mimikatz, NotPetya became a formidable weapon. Unlike traditional trojans, it did not require user interaction to spread, making it highly efficient. The malware propagated rapidly across networks, encrypting victims’ systems and files, rendering them inaccessible. The ransom demand was used as a cover, as the encryption process was irreversible, leading many to believe that the attackers’ primary intent was to cause widespread damage rather than financial gain.
The development and origins of NotPetya have been subject to intense speculation and attribution challenges. While security experts and intelligence agencies have linked the attack to state-sponsored actors, particularly the Russian military intelligence agency GRU, conclusive evidence establishing definitive attribution remains elusive. The attack primarily targeted organizations in Ukraine, leading to suspicions of geopolitical motivations given the tense relationship between Ukraine and Russia at the time. However, it is crucial to note that attributing cyberattacks accurately is a complex process often hindered by obfuscation techniques and false flags, making definitive conclusions difficult to reach.
Combination of notPetya:
NotPetya was a modified version of Petya, using two known exploits for older Windows versions: EternalBlue and Mimikatz. The former is a digital skeleton key that was disclosed in a catastrophic NSA data breach in early 2017. It enables outsiders’ remote access to run their own code. The latter is a proof-of-concept exploit made public in 2011 by Benjamin Delpy, a French security researcher. Delpy’s discovery showed that user passwords on Windows machines persisted in memory, and that they could be extracted from RAM and used for singular or automated, multi-user/multi-machine attacks. Together, these made NotPetya a perfect weapon. It did not require user action as a trojan would, and it was fast. It simply, and rapidly, traveled from one system to another, accessing admin credentials. A large Ukrainian bank’s network was taken down in 45 seconds, and part of the country’s transit hub was fully infected in 16 seconds.
NotPetya was primarily composed of the following components:
- Initial Dropper: The attack started with a dropper, which was a small executable file or exploit that initiated the infection process. The dropper was typically delivered through compromised software update mechanisms or supply chains, specifically targeting the Ukrainian accounting software called ME.Doc. There is evidence that the attack started from a software called M.E.Doc, which was used widely in Ukraine, because it was demanded by the Ukrainian government to fill tax reports with it. The attackers first hijacked the M.E.Doc update servers. They gathered information from the servers and created a false update patch, which would be then distributed to all computers using the M.E.Doc software.
- Propagation Mechanism: Once inside a network, NotPetya utilized various techniques to propagate itself laterally. It scanned for vulnerable Windows systems and exploited security weaknesses, such as the EternalBlue exploit (originally developed by the U.S. National Security Agency) that targeted the Server Message Block (SMB) protocol vulnerability.
- Credential Theft: NotPetya also incorporated credential theft mechanisms then the malware started to intercept passwords and capture administrative privileges with a credential dumping tool like Mimikatz tool, to harvest login credentials from compromised systems. These stolen credentials were then used to move laterally across the network, gaining access to more systems and increasing the scope of the infection.
- Encryption: NotPetya employed advanced encryption techniques to encrypt the Master File Table (MFT), which is a critical component of the NTFS file system. By encrypting the MFT, NotPetya effectively rendered the entire file system inaccessible. It used a combination of encryption algorithms, including the modified version of the open-source disk encryption tool DiskCryptor. The exact encryption algorithm used by NotPetya is not publicly disclosed, but it is believed to involve a combination of symmetric and asymmetric encryption methods. Symmetric encryption uses a single encryption key to both encrypt and decrypt data, while asymmetric encryption uses a pair of keys, consisting of a public key for encryption and a private key for decryption.
Global Reach and Affected Industries:
NotPetya had a global impact, affecting organizations across various industries. It heavily targeted industries such as finance, healthcare, manufacturing, shipping, and logistics. Large multinational corporations and critical infrastructure providers were particularly vulnerable to the attack.
- Financial Losses: The financial consequences of the NotPetya attack were significant. Organizations faced direct costs related to ransom payments, recovery efforts, and legal expenses. Indirect costs, including business interruption, lost productivity, and reputational damage, were also substantial. The financial burden imposed by the attack placed a strain on the affected organizations.
- Operational Disruptions: NotPetya caused widespread operational disruptions, leading to system downtime, loss of critical data, and delays in business operations. Some organizations struggled to fully recover from the attack, resulting in prolonged disruptions and service outages. The attack severely hampered the ability of affected organizations to maintain their normal functioning and meet customer demands.
- Reputational Damage: The reputational damage inflicted by NotPetya was severe. Organizations that failed to adequately protect their systems and customer data suffered a loss of trust from their clients, stakeholders, and the public. Rebuilding trust and restoring a positive reputation proved to be a challenging and time-consuming process. The reputational fallout further compounded the overall impact of the attack on the affected organizations.
Lessons Learned and Prevention Strategies
- Patch Management and Software Updates: Regularly applying patches and updates to systems and software is crucial to address vulnerabilities that can be exploited by malware like NotPetya. Organizations should prioritize timely patch management and ensure that all systems are up to date.
- Robust Network Segmentation: Implementing strong network segmentation helps contain the spread of malware within a network. By dividing networks into isolated segments, organizations can limit the lateral movement of malware and minimize its impact.
- Multifactor Authentication and Strong Password Policies: Enforcing strong password policies and implementing multifactor authentication adds an extra layer of security, reducing the risk of unauthorized access and credential theft.
- Regular Data Backups and Offsite Storage: Regularly backing up data and storing it offsite or on isolated networks is crucial for system restoration in the event of an attack. Periodic testing of backups ensures their integrity and reliability.
- Employee Awareness and Training: Educating employees about cybersecurity best practices, raising awareness about phishing attacks, and promoting safe browsing habits are essential. Regular training sessions and simulated phishing exercises can enhance employee awareness and reduce the likelihood of successful attacks.
- Continuous Monitoring and Threat Hunting: Implementing continuous monitoring and proactive threat hunting measures allows organizations to detect and respond to potential threats in real-time. By monitoring network activity, analyzing logs, and employing advanced threat detection technologies, organizations can identify and mitigate threats before they cause significant damage.
- Regular Security Assessments and Penetration Testing: Conducting regular security assessments and penetration testing helps identify vulnerabilities and weaknesses in an organization’s systems and infrastructure. By simulating real-world attacks, organizations can uncover potential entry points and address them proactively, strengthening their overall security posture.
Future Outlook and Evolving Threat Landscape
Technological Advancements and Adaptation: The future outlook of cybersecurity is closely tied to technological advancements and the ever-evolving threat landscape. As technology continues to advance, new vulnerabilities and attack vectors will emerge. It is crucial for organizations to adapt to these changes by continuously updating their security measures, staying informed about emerging threats, and leveraging advanced technologies to strengthen their defenses.
Artificial intelligence (AI) and machine learning (ML): Artificial intelligence (AI) and machine learning (ML) are expected to play a significant role in cybersecurity. These technologies can be used to analyze vast amounts of data, detect anomalies, and identify potential threats in real-time. AI-powered solutions can enhance threat detection, automate incident response, and improve overall security effectiveness.
Cloud computing and the Internet of Things (IoT): Cloud computing and the Internet of Things (IoT) present both opportunities and challenges. While cloud services offer scalability and flexibility, organizations must ensure robust security measures are in place to protect their data and applications. With the proliferation of IoT devices, securing interconnected networks and managing vulnerabilities in these devices will be crucial.
Defense and Detection Enhancements: As cyber threats become more sophisticated, defense and detection mechanisms need to keep pace. Next-generation firewalls, intrusion detection and prevention systems (IDPS), and advanced endpoint protection solutions are continually evolving to address emerging threats.
Threat intelligence platforms and sharing networks are becoming more prevalent, enabling organizations to access up-to-date threat information and collaborate with others in the industry. This collective approach strengthens the overall security posture by leveraging shared knowledge and experiences. Security automation and orchestration tools are gaining prominence, allowing organizations to automate routine security tasks, streamline incident response processes, and improve overall efficiency. By automating repetitive tasks, security teams can focus on more strategic activities such as threat hunting and proactive defense.
The integration of security into the development lifecycle, known as DevSecOps, is gaining traction. This approach emphasizes embedding security practices throughout the software development process, enabling organizations to identify and address vulnerabilities early on.
Case studies:
Technical aspect of the attack of Ukraine:
The NotPetya attack was a sophisticated and devastating ransomware attack that combined various techniques and vulnerabilities to infect systems and propagated rapidly across networks. It incorporated elements from earlier cyber-attacks and leveraged known vulnerabilities, making it a more advanced version of previous techniques. The attack shared similarities with the Petya ransomware attack from 2016, both in terms of code and lateral movement techniques. Additionally, it utilized code from the open-source application Mimikatz, which was created in 2011 to expose vulnerabilities in Microsoft systems. Mimikatz allowed NotPetya to steal credentials and escalate privileges, enabling further unauthorized access. The attack originated from the compromise of M.E. Doc, a widely used software in Ukraine for tax reporting. The attackers hijacked the M.E.Doc update servers and distributed a false update patch, which contained the attacker’s malware. When users downloaded and installed the fake update, the malware discreetly executed in the background.
The malware intercepted passwords and captured administrative privileges using credential dumping tools like Mimikatz. It then proceeded to encrypt files on all drives of the infected computer. After completing the encryption process, the malware set a timer to reboot the system and gain full control. During the reboot, a fake error message appeared, instructing users not to turn off the computer. Once the system restarted, a ransom note demanding payment in Bitcoins was displayed, although the malware was not designed to decrypt the files even if the ransom was paid. NotPetya had the ability to move laterally within networks, behaving like a worm. It employed multiple techniques to infect other computers, including stealing network credentials, reusing existing active sessions, and exploiting SMB vulnerabilities such as EternalBlue and EternalRomance. These vulnerabilities had been previously exploited in attacks like WannaCrypt. The combination of these techniques and vulnerabilities allowed NotPetya to infect and spread rapidly throughout networks, causing extensive damage. The attack was characterized by its destructive nature and lack of intention to decrypt files, highlighting its objective to maximize damage rather than financial gain.
Overall, the NotPetya attack demonstrated the sophistication and devastation that can arise from combining old techniques with known vulnerabilities. Its worm-like capabilities and rapid propagation made it a highly destructive version of ransomware, emphasizing the need for robust security measures to protect against similar attacks.
Target and motivation of the attack
Hybrid warfare against Ukraine
The NotPetya attack is believed to be part of Russian hybrid warfare against Ukraine. After the Russia’s annexation of Crimea in 2014, the relationship between Russia and Ukraine have been cold. There are evidence of Russian Federation backing up fighters against the Ukrainian government in Crimea. Ukraine is believed to be the main target of this cyber-attack. There are several evidence pointing to that statement. Of all the infected computers, 80% of them were in Ukraine. Also, the software M.E.Doc, which was used to carry out this attack is widely used in Ukraine as a tax filing software. This indicates that the attack was not a ransomware but designed to cause maximum destruction and disruption in Ukraine, and it spread unintentionally to other countries5 . Few experts believe that the outbreak was directed against businesses and government in Ukraine, and the attackers underestimated the spreading capabilities of the malware4 . The attack came on the eve of Ukrainian public holiday, the Constitution Day, which means that most government and business offices where empty at the time. This seems odd for ransomware, which needs humans to see the ransom note and pay to get their files decrypted. What was even more odd for ransomware, was that the malware overwrote and destroyed important files and drives, despite showing a ransom note ensuring the user that they could get their files back safely and easily. This indicates that the malware wasn’t designed for monetary purposes but to cripple the Ukrainian state. The ransomware made only 10 000 USD out of the payments of users but is estimated to cause over 10 billion USD worth of damage. The malware also had the ability to identify specific computer systems and bypass infection of those systems. This is believed to be a sign of a more surgical goal than just making money. Security experts also found a backdoor in the M.E.Doc update system which is believed to be installed as early as April 2017, over two months before the attack. The backdoor installation timing indicates clearly a well-planned and well-executed operation behind the NotPetya attack. Because of the large file size of the NotPetya malware, 1,5 gigabytes, it is also believed that there might be other backdoors that haven’t been found yet.
Data has been found showing that this is not the first attack by the same perpetrators. It is believed that either Telebots, Black Energy or Sandworm, all claimed to be backed up by the Russian Federation, is behind this attack. Traces have led to the conclusion that whoever was behind the NotPetya attack, was also behind the attack in December 2016 which was targeted against Ukrainian financial system. The traces lead also to the Petya attack being by the same perpetrators. US and UK have also claimed that Russia is behind this attack and that the Russian Main Intelligence Directorate designed NotPetya. Russia have denied all accusations, stating that Russian systems were also impacted by the attack. Despite denying responsibility for the attack, the Russian Federation also has some clear interests in carrying out an attack. In addition to paralyzing and causing damage to Ukraine, the attack could have served as a demonstration of Russia’s power in the cyber domain. A demonstration of power like this could be used as a deterrent against cyber-attacks planned against the Russian Federation. In this case denying the attack was merely a formality, and intentionally left people with a strong feeling that the Russian Federation was behind the attack. Lastly a point to support that NotPetya was a hybrid warfare attack against Ukraine is that a Ukrainian intelligence officer responsible of special forces was assassinated in the morning of the attack. He was killed by a car bomb in Kiev.
Alternative theory
As no concrete evidence have been found to tie Russian Federation or certain hacker group to the attack, it has been proposed that the attack was just a ransomware with monetary goals. It is believed that it’s the fault of the Intellect Service company, the company behind M.E.Doc accounting software. They had been warned multiple times of their lax security measures on their servers. The company had dismissed these warnings and consequently made it possible to infect computers through their servers.
Effects of the attack
The NotPetya attack has been called the most destructive and costly cyber-attack in history to that date. What started from Ukraine, spread for five days around the world infecting computers in the USA, Europe and Asia, before the actual attack was launched crippling more than 200 000 computers worldwide. The estimated damage of the whole attack is more than 10 billion USD.13 To put the attack in scale, WannaCry attack, just a month before the NotPetya attack, affected worldwide and is estimated to have caused damages from 4 to 8 billion USD.
Ukraine
As Ukraine was the main target of the attack, it was hit the hardest. The National Police of Ukraine was contacted by 1 500 legal entities and individuals reporting that they have been affected by the attack. More than 300 companies were hit and 10 % of all computers in Ukraine were estimated to be infected. Vital functions in society seemed to be the primary targets of the attack. “The government was dead”, said Ukrainian minister of infrastructure.16 Multiple ministries, central bank, state postal service and electricity companies were infected, and their computers went offline. The electricity companies though managed to continue operations fully without computers. One of the biggest banks in Ukraine Oshchadbank had to close all its over 3 000 physical branches and regained full functionality not until 3rd of July, almost a week after the attack. Over 90 % of their computers were infected by the malware. Because of the hit on central bank and most banks in Ukraine, all the ATMs were don’t for the day and no draws could be made. The metro system was also partially down as card payments didn’t work, but they still managed to keep the traffic going. Most facilities and companies that were infected couldn’t use their computers or smartphones, which meant that many of them resolved to use pen and paper as a backup. Chernobyl nuclear plant reported that they had to monitor radiation levels manually as they are ordinarily done by computers. The health ministry said that the attack took them back 30 years. They do central monitoring of drugs and it coordinate reallocation of them to hospitals that in need. This everyday task is usually done by one email to all 24 regions, but now they had to call the 24 regions by phone to reallocate one shipment.
Rest of the world
Although 80% of the infected computers were in Ukraine, the attack was still a global incident. Most of the companies outside Ukraine that were affected had branches in Ukraine, which gave the malware a steppingstone to spread outside Ukrainian borders. There were also few cases of companies that used the M.E.Doc software and weren’t in Ukraine but were still hit by the attack. There are reports that over a dozen countries, including Spain, India, Russia, Israel, Germany, the US and the UK, were infected by the malware.15 Maersk is the world’s largest shipping conglomerate situated in Copenhagen, Denmark. It represents close to a fifth of the entire world’s shipping capacity and was one of the major victims in the attack. Maersk had installed the M.E.Doc software on a single computer in a single port, but that was enough for the malware to spread through the whole company. 17 out of 76 of Maersk terminals had to be shutdown. This meant that tens of thousands of trucks were turned away on the gates. Luckily the ships’ computers were not infected, but without terminal software they were handicapped to do their job. It took Maersk almost two weeks to get their IT infrastructure back and running, and they reported over 300 million USD losses in revenues.16 Other big non-Ukrainian companies that were hit were pharmaceutical giant Merck, FedEx European operator TNT Express, French construction company SaintGoblin, food producer Mondelez and manufacturer Reckitt Benckiser. All these companies reported nine-figure costs because of the attack. Even Russian state oil company Rosneft was hit by the NotPetya attack.
Responses to the attack
As we have mentioned previously, the effect of the attack was large and widespread. Affecting multiple companies and causing financial damage worth billions of dollars. It is then appropriate to investigate how did different actors responded when noticing they were under attack. We will therefore go through what reactions we have found in our research from as Ukrainian government, Maersk and Microsoft.
Ukrainian government
Shortly after the cyber-attack the Ukrainian government issued a statement where they acknowledged that state institutions, financial institutions, power, private and transport sectors had all been affected. They were quick to place the blame on Russia without having any concrete evidence. In their statement they said that the attack was a “task-oriented destabilization of social and political situation in the country” and that “the virus is a cover of large-scale attack, oriented against Ukraine”. The Russian were quick to dismiss these allegations. Additionally, the Ukrainians mentioned suspicions against North Korea, but these were quickly dismissed as irrelevant. Later the government issued the M.E.Doc update servers to be seized by the police. This they hoped would put a stop to the further spreading of the virus. They had been able to prove that one of the employees’ computers demonstrated malicious activity. The security service of Ukraine also “published updated guidelines on protection of computers from virus-extorter attack”.10,11 It is also noteworthy that the United States and Britain formally blamed Russia for the attack.
Maersk
On June 27, 2017, people holding their laptops started to gather around the Maersk IT help desk. The computer screens contained red and black text instructing the owner not to turn off their computer due to a file system repairment. Other people’s computers were already fully infected and contained the following text: “oops, your important files are encrypted”. Suddenly all the computers in the office started to go black in quick succession. Panic quickly ensued and employees began advising others to keep their computers turned off. After two hours Maersk’s whole global network was shut down. All employees were now advised to shut down their computers and leave them by their desk along with their now useless digital phones. Most employees now simply left their stations due to being incapable of doing anything else. The company quickly continued operations without IT tools and managed to rebuild their IT infrastructure in 10 days. Finally, through what they described as the whole company coming together, they were able to recover. Lewis Woodcock, head of cybersecurity compliance commented that NotPetya served as a wake-up call and emphasized that a data recovery plan must always be in place. So, it seems that in this company’s case, although millions of dollars were lost, they learned from their mistake and realized that even if you are not the target of a cyber-attack, you could still be the victim.
Microsoft
In response to the NotPetya attack in Ukraine and considering Microsoft’s role as a major software provider, there are several actions that Microsoft could have taken or should consider taking to enhance security and mitigate similar attacks in the future:
i. Patch Management: Microsoft should prioritize timely and regular security patches and updates to address known vulnerabilities. This includes promptly releasing patches for critical vulnerabilities, especially those that have been actively exploited in previous attacks.
ii. Vulnerability Management: Microsoft should invest in robust vulnerability management processes, which involve comprehensive identification, assessment, and remediation of security vulnerabilities in their software. This can help prevent attackers from exploiting weaknesses in their products.
iii. Security Audits and Code Reviews: Conducting regular security audits and code reviews can help identify and address potential security vulnerabilities within Microsoft’s software. This proactive approach allows for the early detection and mitigation of security flaws.
iv. Security Awareness and Education: Microsoft should continue to educate users and administrators about the importance of security practices, such as maintaining strong passwords, enabling multi-factor authentication, and being cautious of suspicious emails or links. This can help prevent social engineering attacks that are often used to distribute malware.
v. Collaboration with Security Researchers: Microsoft should foster strong relationships with the security research community, encouraging responsible disclosure of vulnerabilities. Collaboration can lead to faster identification and resolution of security issues, strengthening the overall security posture of Microsoft’s products.
vi. Enhanced Default Security Configurations: Microsoft can enhance default security configurations in their software to ensure that users have a strong baseline level of security. This may include enabling certain security features by default, enforcing secure settings, and providing clear guidance on security best practices.
vii. Incident Response and Support: In the event of a security incident, Microsoft should provide swift and effective incident response support to affected organizations and individuals. This includes timely communication, guidance on mitigation measures, and assistance in recovering from attacks.
What should have been done?
What was particularly unfortunate in this attack was the fact that the exploits used to spread the malware were already known by the cyber security community. Additionally, Petya, a separate but very similar attack, had only recently been dealt with and was fresh in people’s minds. It is therefore odd that better measures have not been taken to prevent these types of attacks from happening. In this chapter we wish to discuss those things that should have been done before, during and after the attack.
Before attack
Before the initial spread of NotPetya there was a similar Petya malware attack. This malware, like NotPetya encrypted the file system and requested a ransom in the form of bitcoins. Seemingly very little action was taken to prevent this type of attack from happening again. Additionally, the M.E.Doc update servers were also previously breached to spread a different kind of attack, and yet still, NotPetya happened in the large scale that it did. Not only had there been a similar malware attack before NotPetya but also the same backdoor breach in the M.E.Doc update servers had been used previously by other assailants. The backdoor exploit was used not only once but three times and left without update since 2013, an extremely irresponsible lack of action by Intellect Service.6 First, fully securing and auditing the update servers should have been the topmost priority after the very first backdoor breach. Secondly, the Petya Microsoft patch had been available since March 2017. This patch fixes the SMB flaw exploited by EternalBlue that NotPetya was using to spread inside the networks. Lastly, companies should have been using the most recent operating systems. Most of the infected computers had been using an older version of Windows when Windows 10 was fully capable of deflecting this attack.
During the attack
The initial reaction during the attack was to keep computers offline. A reasonable and correct response in such a situation. First, the user could have checked for a file called “rundll32.exe” running in task manager. If this executable existed, it meant that your computer was infected by the malware and would upon restarts encrypt all your data. So, computers should be kept offline and on hold until the user gets more detailed information on what is happening and how to stop it. Interestingly, some sites were saved completely from the attack due to power outages. Security experts were then able to get their hands-on computers that were already infected but not activated and were able to research the virus that way. Companies then should have informed local authorities and work together to prevent further damage. Going into even more detail, there was also a possibility to ‘trick’ the malware into thinking it was already installed on the computer. The user could create a read only file called perfc and position it in the windows directory. This is the file that the malware looks for when it first runs, and if found will kill itself.
After the attack
Actions that should be taken after the attack are like the ones that should have been taken before it. Secure the update servers, update company computers containing the latest patches and start employee briefing. It is extremely important that as many people as possible are “cyber aware”. Meaning that they should be able to identify suspicious emails and know about best practices when it comes to deterring digital threats. Most importantly, companies should backup their data, so in case of a breach, they could at least partially recover. Also, companies should use reputable security suites that systematically check their file systems for malicious files.
THE COST OF NOTPETYA
In 2017, the malware NotPetya spread from the servers of an unassuming Ukrainian software firm to some of the largest businesses worldwide, paralyzing their operations. Here’s a list of the approximate damage reported by some of the worm’s biggest victims.
$870,000,000 à Pharmaceutical company Merck
$400,000,000 à Delivery company FedEx (through European subsidiary TNT Express) $384,000,000 à French construction company Saint-Gobain
$300,000,000 à Danish shipping company Maersk
$188,000,000 à Snack company Mondelez (parent company of Nabisco and Cadbury) $129,000,000 à British manufacturer Reckitt Benckiser (owner of Lysol and Durex condoms) $10BILLION à Total damages from NotPetya, as estimated by the White House
Conclusion:
The NotPetya cyberattack was a watershed moment in the realm of cybersecurity, leaving a lasting impact on organizations across the globe. Its destructive nature and widespread disruption exposed vulnerabilities in critical infrastructure, emphasizing the need for enhanced cybersecurity measures and preparedness in an increasingly interconnected and digital world.
This case study has delved into the origins and methodology of the NotPetya attack, highlighting its global reach and the industries it targeted. The financial losses and operational disruptions experienced by affected organizations underscored the need for proactive cybersecurity practices, including timely patch management, robust network segmentation, and multifactor authentication.
Furthermore, the case study emphasized the importance of regular data backups, employee awareness and training, and well-defined incident response planning. Collaboration and information sharing among organizations, industry sectors, and government entities emerged as crucial factors in combating evolving cyber threats.
The NotPetya cyberattack served as a wake-up call for organizations, prompting them to reassess their cybersecurity strategies and adopt preventive measures to mitigate the impact of similar sophisticated threats. By implementing the lessons learned from the NotPetya case study, organizations can bolster their resilience, protect critical systems and data, and maintain trust among their clients, stakeholders, and the general public.
In conclusion, the NotPetya case study serves as a reminder of the evolving threat landscape and the constant need for vigilance in the face of cyberattacks. It provides valuable insights into the consequences of inadequate cybersecurity practices and the importance of proactive measures to safeguard against sophisticated threats. By embracing the preventive strategies outlined in this case study, organizations can better prepare themselves to defend against and mitigate the impact of future cyber incidents.