‘NotPetya’ ransomware attack spreading rapidly to organisations across the globe

On the same day the Business Continuity Institute (BCI) launched its latest Cyber Resilience Report, the importance of ensuring that organisations are prepared for a cyber security incident has once again been demonstrated as a new ransomware attack is causing turmoil across the world.

The attack, dubbed ‘NotPetya’ due to its similarities with a previous virus called ‘Petya’, has resulted in organisations worldwide having their data encrypted, with a demand made for the equivalent of about $300 to be paid in Bitcoin in order that files are released.

‘NotPetya’ uses the same exploit that allowed WannaCry to spread so rapidly, but is thought to have found additional ways in which to infect new systems. It’s not yet known how computers originally became infected, but it doesn’t appear to be via e-mail.

This particular attack was first reported in the Ukraine where the State’s power company and Kiev’s main airport were both affected, but it has now spread to many other countries including the UK, the US, France, Russia and India.

Jean-Frederic Karcher, head of security at Maintel, commented: “This attack is further proof of the rise of ransomware. Ransomware has increased three-fold from 2015 at 1,000 attacks per day to 4,000 attacks per day in 2017, and shows no signs of slowing down. It will be one of the Top Three malicious softwares to watch out for in the coming year and impact sectors and society. The right security measures, including threat detection, must be put into place to ensure that businesses, their employees and customers are kept safe.”

Karcher added: “The proliferation of ransomware comes as a direct result of its high monetary return on investment. With more valuable information readily available on the web, hackers are using this as a means to steal, lock out users and then ‘ransomware’ back access, all with the goal of a sizeable pay packet at the end. The main reason huge companies are targeted is because they have vast amounts of data at their disposal. Hackers can sell large batches of this personal data for profit on the black market.”

Graham Rymer, research associate at the University of Cambridge and one of the founders of the successful Cambridge2Cambridge cyber competition, told Risk UK: “Unfortunately, these types of ransomware attacks are inevitable. Businesses and organisations should always have a plan in place in terms of how to respond to these attacks quickly and efficiently to contain the situation. Firms need to take action such as quickly switching all drives in the system to ‘Read Only’ following an attack, which essentially prevents the malware from doing real damage. Signature-based malware detection is only effective against known malware. The attacker will always win on the first roll of the dice, but once more information about the ransomware is known and has been shared with cyber security experts and companies, they should be able to build a patch which defends against a specific attack.”

Charl van der Walt, SecureData’s chief strategy officer, observed: “We’ve been tracking what appears to be a variant of the ‘Petya’ malware that has hit numerous targets in the Ukraine, Russia, Norway and Denmark, as well as the UK and the US. Very little is clear at this point, and even the origin of the variant is still under discussion. Also unclear, but increasingly probable, is that the ransomware is spreading worm-like across networks using similar techniques to WannaCry, which caused serious disruptions just a few weeks ago. It does seem apparent that this strain is more ‘destructive’ than WannaCry in that it affects fundamental operating system components impacting a given machine’s ability to boot and run, rather then just the individual files on the system.”

He continued: “End users should be cautious not to be caught up in the hyperbole. Although these worm-like ransomware variants are a relatively new phenomenon, they still consist of very well-known components, namely network worms and ransomware. In this sense, the response to this kind of threat is already well understood. It involves patching machines, running anti-virus, segmenting networks and keeping current back-ups. Achieving maturity in these core disciplines should be our focus, not chasing after the drama of each new variant.”

Jonathan Bensen, regional spokesperson for Centrify, informed Risk UK: “Merck, one of the first US companies to be hit by the attack, saw its stock decline by 0.6% after news of its breach. The long-term impact could be greater. In fact, a recent Ponemon Institute study found that a company’s stock price drops by an average of 5% on the day a breach is exposed. Either way, WannaCry and ‘Petya’/’NotPetya’ show hackers there’s a relatively easy way in which to access corporate networks. Since both attacks leveraged exploits, new attacks exploiting excess privilege and password capturing, etc. are easy. Data breaches are a very real business with bottom line concerns.”

Minimising the impact

Business continuity can be key to minimising the impact of such an attack and make a real difference during any kind of emergency, crisis or disruption. It’s what makes an organisation resilient and ready to respond and carry on, even amid difficult circumstances. Yet business continuity cannot be improvised. It requires specialised and trained staff as well as the support of everyone within an organisation.

Having specialised and well-trained business continuity staff with the ability and resources to develop, implement and maintain a business continuity plan will help organisations in identifying the risks they face and pinpointing those key operational areas that need to be prioritised during a crisis.

“We need to learn from these experiences,” said David Thorp, executive director at the BCI. “It’s clear that the cyber threat isn’t going away any time soon, so organisations must do more to make sure they can respond to them effectively and prevent them from becoming a crisis.”

With phishing and social engineering maintaining their position as the top driver of cyber disruptions, there’s a need for a stronger cyber resilience culture across today’s organisations and a focus on the human aspects of the threat.

This is one of the key findings of the aforementioned Cyber Resilience Report, just published by the BCI in collaboration with Sungard Availability Services, a leading provider of information availability through managed IT, cloud and recovery services.

The Cyber Resilience Report finds that nearly two-thirds of respondents (64%) to the global survey had experienced at least one cyber disruption during the previous 12 months, while almost one-in-six (15%) had experienced at least ten. Of those who had experienced a cyber disruption, over half (57%) revealed that phishing or social engineering had been one of the causes, demonstrating the need for end users to be better educated about the threat and the role they can play in helping to prevent an incident occurring.

The comprehensive study also found that:

*one third of respondents (33%) suffered disruptions totalling more than €50,000, while more than one-in-ten (13%) experienced losses in excess of €250,000

*one-in-six respondents (16%) reported a single incident resulting in losses of more than €50,000

*one-in-five (18%) of those respondents working for an SME reported cumulative losses of more than €50,000 (these are significant losses considering that 40% of SMEs involved in this study reported an annual turnover of less than €1 million)

*phishing and social engineering are the top causes of cyber disruption, with over half of those who experienced a disruption (57%) citing such occurrences

*87% of respondents reported having business continuity arrangements in place to respond to cyber incidents, indicating that it’s now widely accepted as playing a key role in helping to build cyber resilience

*67% of respondents stated that their organisation takes over one hour to respond to a cyber incident, while 16% suggested that it can take over four hours

Top management commitment

The number of respondents reporting top management commitment to implementing the right solutions designed to mitigate the cyber threat increased to 60% in this latest study. This is likely to be due to a number of factors such as the intense media coverage of cyber security incidents and the impending European Union General Data Protection Regulation, which is due to come into force in less than a year and will have a substantial impact on any organisation that holds data on EU citizens.

“Co-operation is key to building cyber and organisational resilience,” outlined David Thorp. “Different disciplines such as business continuity, information security and risk management need to come together, share intelligence and start speaking the same language if they want to build a safer future for themselves and our communities.”

Keith Tilley, European vice-president and vice-chairman at Sungard Availability Services, added: “Brexit and the pending General Data Protection Regulation have thrown up even more questions about data laws and compliance. That being so, data sovereignty is a focus. Companies need to demonstrate an holistic understanding of where their data is hosted, where it’s backed up, moved to and recovered, as well as who can see it along the way. The fact that data laws are constantly subject to change, with both region and country-specific regulation, means this is something of a headache for large organisations. Establishing how to meet these regulations, as well as global needs, will be vital, as indeed will the ability to handle data access, residency, integrity and security.”

Consumer awareness on the increase

Despite ransomware having been around for many years, with several high-profile organisations suffering the consequences of such an attack, 57% of respondents to a survey carried out by Carbon Black said that WannaCry was their first exposure to how ransomware works.

The Ransom-Aware Report notes that, while it’s never a good thing when 150 countries are simultaneously affected by a cyber attack, the resulting increased awareness will only serve to engender positive action.

Ransomware is certainly nothing new, but consumers are increasingly turning to organisations with questions about how they’re protecting sensitive data. In turn, organisations are putting more effort into improving cyber security in order to protect data and remain operational in the event of an attack episode.

For many consumers, losing trust in an organisation could result in them taking their custom elsewhere. When presented with the statement: ‘I would consider leaving my current financial institution/healthcare provider/retailer if my sensitive information was taken hostage by ransomware,’ the study found that 72% of consumers said they would consider leaving their financial institution, 68% of consumers said they would think about leaving their healthcare provider and 70% of consumers said they would indeed consider abandoning their chosen retailer.

When respondents were asked if they would personally be willing to pay ransom money if their own computer and files were encrypted by ransomware, it was close to a dead heat with 52% of respondents saying they would pay and 48% saying they wouldn’t. Of the 52% who said they would pay, 12% stated they would pay $500 or more, 29% said they would pay between $100 and $500 and 59% explained that they would pay less than $100 to access their data.

“Sustained and determined” cyber attack on UK Parliament

Building Resilience by Improving Cyber Security, published by the BCI during Business Continuity Awareness Week 2017, revealed that users are often choosing weak passwords and so leaving their IT networks vulnerable. Such vulnerability has now been exposed at the UK Houses of Parliament. Last weekend, Parliament experienced what was described as a “sustained and determined” cyber attack that forced remote access to be restricted for members of both Houses, as well as their aides.

A senior spokesperson for Parliament commented: “We’ve discovered unauthorised attempts to access the accounts of Parliamentary network users and are investigating this ongoing incident, working closely with the National Cyber Security Centre all the while. Parliament has robust measures in place to protect all of our accounts and systems, and we’re taking the necessary steps to protect and secure our network.”

It was reported that the attack, which began last Friday, was specifically trying to identify weak passwords and gain access to users’ e-mail accounts. Ultimately, this tactic was successful with less than 1% of accounts, but that still amounts to around 90 individuals and, potentially at least, could result in sensitive data being exposed.

International Trade Secretary Liam Fox said: “We have seen reports in the last few days of even Cabinet ministers’ passwords being made for sale online. We know that our public services are attacked so it’s not at all surprising there should be an attempt to hack into Parliamentary e-mails. It’s a warning to everybody, whether in Parliament or elsewhere, that they need to do everything possible to maintain their own cyber security.”

While the restriction of remote access seems to have abruptly and effectively ended the attack, the cyber episode left many Parliamentarians and their staff without access to their e-mails over the weekend, a time when many of them attempt to catch up with important constituency work.

The report published by the BCI highlights several ways in which users can take responsibility for helping to improve cyber security, including the use of strong passwords that cannot easily be hacked or guessed. By doing so, it means that everyone can play their part in building a resilient organisation.

About the Author

Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications)

Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting.

In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector.

In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute’s George van Schalkwyk Award.

An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award.

Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site.

Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media.

Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Related Posts