Past to Present – Lessons From the NotPetya Ransomware

And how they are still relevant today.

On a warm, sunny day in July 2017, one of the world’s most catastrophic and rampant demonstrations of ransomware began. Commonly referred to as NotPetya, the infection was released from a compromised software company located in Ukraine and quickly spread across the world. The outbreak impacted companies such as DHL, Mondelez International, and Maersk – just to name a few.

And it ultimately resulted in an estimated $10 billion of damage.

If you’re unfamiliar with the complete story, I recommend reading this fascinating Wired article that discusses it in-depth. One would think that an event of the magnitude of NotPetya would be a harsh lesson for organizations across the globe and that they would not repeat the mistakes that enabled it.

Unfortunately, the conditions that led to an outbreak are all still present today. Let’s take a look at what led to successful infection and what your organization can do to prepare for the next outbreak.

Repeated Shortcomings

It would be impossible to talk about NotPetya without mentioning EternalBlue, an exploit for a critical zero-day vulnerability thought to be developed by the NSA. We don’t need to delve into the technicalities of how the zero-day works, but one simply can think of it as a giant window for an attacker to leap through.

Back in 2017, Microsoft released patches for the exploit in March, just two months before it was utilized in the WannaCry ransomware attack, and four months before the NotPetya attacks.

Conditions for another outbreak are present in the current Windows-dominated landscape. Another zero-day vulnerability, this time in Window’s Remote Desktop Protocol (RDP), has been discovered and labeled BlueKeep. On top of all of this, security researchers have already detected its mass-use in the wild.

Attackers commonly chain exploits together to gain initial access to networks and then successively infect the entire infrastructure. BlueKeep is simply another venue through which this can occur.

It’s reasonable to think that the next ransomware outbreak will chain together BlueKeep, EternalBlue, and other system-level exploits to propagate through an environment. All of it can stem from one employee opening a malicious email attachment or accidentally running one malicious file.

Fight Back

Now that we’re aware of the gloomy pretext for the current state of events, how can you fight for the technical security of your organization?

Patch Management

NotPetya had one common mitigation that would have deterred the first step of the outbreak: regular patching through a patch management program. As mentioned earlier, organizations had a very limited window to update their systems before the first outbreak, meaning that critical patches such as the one related to EternalBlue should have been given utmost priority.

This means pausing current projects to address security concerns, dedicating resources to ensure the success of patching, and validating that assets are not overlooked through a vulnerability management program.

Worried about what’s currently on the horizon with BlueKeep? Microsoft has released a security advisory with recommended mitigations and downloadable updates. Applying these patches to systems may take a lot of effort depending on your environment, but the time spent patching (and the associated cost) will be far less than the time spent recovering from a ransomware infection.

Vendor Management

When thinking about overall organizational risk, the Ukrainian software company that was used to propel the infection raises some immediate concerns. This vendor served as a malignant tunnel through which ransomware could be passed to its customers. How can you protect yourself when you can’t even trust the software you use?

Vendor risk management programs aim to answer this question. It’s vital for a business to assess the security of their third-party vendors as extensions of itself. This can be performed by requiring vendors to comply with security frameworks such as ISO 27001 or by reaching out to individual vendors for a security assessment.

This may sound tedious, but let’s think about the importance of this effort.

In many cases, businesses have little to no idea what vendors and software are in their environments. Documenting and discovering this information could be the difference between avoiding a breach and dealing with a complete compromise.

Let’s talk

Curious about your organization’s technical security strengths? Anxious about potentially undiscovered weaknesses? Penetration testing might be the solution you’re looking for. Contact us here.

Leave a Reply