5 years after NotPetya: Lessons learned

5 years after NotPetya: Lessons learned

On June 27, 2017, the eve of Ukraine’s Constitution Day holiday, a major global cyber attack was launched, infecting more than 80 companies in Ukraine using a new cyber pathogen that became known as NotPetya. NotPetya did not stay within the borders of Ukraine, but instead spread to infect and wreak havoc on thousands of organizations across Europe and around the world.

NotPetya was so named because it was similar to but different from Petya, a self-propagating ransomware virus discovered in 2016 that, unlike other emerging forms of ransomware at the time, could not be cracked. In another departure from previous forms of ransomware, Petya also overwrote and encrypted master boot records and was therefore considered more of a form of cleaning malware than bona fide ransomware.

Fake ransomware that spread easily

Like Petya, its successor, NotPetya, was not real ransomware because it could not be decrypted, and the attackers were masking themselves behind a fake $300 ransom demand to cover what turned out to be their real destructive purposes. NotPetya emerged five weeks after WannaCry, another dangerous piece of fake ransomware. Considered a true “cyber weapon”, NotPetya shared with WannaCry the use of EternalBlue, a cyber tool developed and stolen from the US National Security Agency (NSA).

Using Eternal Blue, NotPetya took advantage of a vulnerability in the Windows Server Message Block (SMB) protocol, a flaw that Microsoft patched months earlier in Windows 10. However, all it took for the malware to spread was a single Windows computer. 10 without patches or a PC. with an older version of Windows within an organization. Working in conjunction with EternalBlue was another powerful tool, an old security research tool called Mimikatz that could extract passwords from memory. The two tools together allowed the attack to move from one machine to another.

Highly contagious malware from the Russian GRU

Although some experts considered NotPetya a variant of Petya, the two pieces of malware are generally considered as separate and distinct, particularly considering how they spread. NotPetya was much more contagious than Petya, with seemingly no way to prevent it from spreading rapidly from host to host.

Like NotPetya expert and journalist Andy Greenberg documentedNotPetya crippled shipping giant Maersk, pharmaceutical company Merck, Fedex’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz and manufacturer Reckitt Benckiser. In total, the malware caused more than $10 billion in global damage. The source of NotPetya was a group of Russian GRU operatives known as Sandworm or Unit 74455, which is believed to be behind a 2015 cyberattack on the Ukrainian power grid, among other damaging cyber incidents.

CSO asked two experts who dealt with the NotPetya fallout five years ago how they see the 2017 cyberattack in retrospect and what corollaries it might have for Russia’s current war against Ukraine.

Ransomware as a weapon of war

Amit Serper, who was a principal security researcher at Cybereason when NotPetya hit and is now the director of security research at Sternum, was the first person to develop a fix that disabled NotPetya. Serper tells CSO that looking back, “ransomware was starting to become more prevalent. Ransomware was mainly targeting ordinary people. It wasn’t targeting big companies or corporations like it is today. So we would hear how some Ordinary Joe or Jane got their entire machine encrypted. I remember examples of older people losing access to photos of their grandkids and that sort of thing.”

After the impact of WannaCry and NotPetya, ransomware went from being something used opportunistically by cybercriminals, as an “auto exploit,” says Serper, to “almost a weapon of war where nation-state actors would use the ransomware as a tool to keep other large and significant organizations and countries from working. So NotPetya and WannaCry were a defining moment back then.”

Both viruses made the world more complicated. Cybersecurity vendors had hitherto focused on abstract theoretical security problems, Serper says, but suddenly had to deal with the profound misuse of simple technologies like encryption and decryption for geopolitical leverage.

“We needed to get down to earth a little bit and fix that problem before we looked at threats that were completely theoretical or more theoretical and harder to implement. It’s no longer about pirating Coca-Cola and stealing the secret recipe. It’s about a company like Coca-Cola. Cola finding himself in the middle of an international geopolitical skirmish and rendering his stuff completely useless as this kind of collateral damage.”

On a personal level, NotPetya marked a major turning point in Serper’s life. “It affected my life in a very, very direct way. It’s the reason I got my green card to live in the US.”

Serper’s attorney built his application for the so-called Einstein visa primarily around NotPetya. “I don’t have a high school diploma. I don’t have an academic degree. So it was very difficult to prove that I knew what I was talking about. A big part of our immigration case was my contribution to preventing NotPetya.” It worked, and it worked during the previous administration, where immigrants weren’t really a thing of interest,” says Serper.

NotPetya changed the consciousness of CISOs

Adam Flatley is currently the Director of Threat Intelligence at an unidentified company, but he was the COO of Cisco Talos during NotPetya, when his team was one of the first to discover the event. “I think the NotPetya event has changed the consciousness of many CISOs and CSOs around the world,” he tells CSO.

NotPetya taught CISOs what could happen if they don’t properly segment their networks. “If you look at what happened with NotPetya, you see that the [malware] it had an unrestricted propagation mechanism that would go as far as possible,” says Flatley. “When it was unleashed in Ukraine, all these companies that had network connections in Ukraine with flat networks were decimated by that attack.”

The current conflict in Ukraine evokes for Flatley what happened with NotPetya. “When the beginning of the war started, there was a lot of talk about how the Russians would use ransomware or windshield wipers to attack Ukraine. That immediately triggered the memory of what happened last time. Then when the war started later, there was a lot of evidence of the use of windshield wipers in Ukraine,” he says. “Again, the fear that it would spread outside the country. Luckily, until now [the Russians] They’ve been using very conservative settings on their windshield wipers.”

However, Flatley says that the prospect of a NotPetya-type event emanating from the current conflict is still very real. “It’s interesting that the Russians are being a little more careful this time around with their cyberattacks, but that’s only limited by their desire to be careful. The technology is still there so they can easily change the settings and drop it if they want to.” “. “

Copyright © 2022 IDG Communications, Inc.

Leave a Comment