NotPetya five years on: the cyber security lessons learned by organisations
On the 27th June 2017, the NotPetya attack caused over $10 billion in damages to enterprises worldwide. Five years on, we consider the lessons learned since
While initially thought to be ransomware, with a message demanding $300 worth of Bitcoin being sent to victims, these “ransoms” were found to be disingenuous, with no actual decryption-for-payment opportunity being presented. Once rebooted, computers experienced irreversable encryption of master boot records, with no decryption key to be found even for organisations willing to pay the fee asked for.
The first companies to be affected by the NotPetya attack included large companies located in Ukraine — including its national bank — with firms in Russia also targeted. Cyber security experts Kaspersky then detected similar attacks across the UK, France, Germany, Italy and Poland. A day following the initial attack, ESET predicted that 80 per cent of all infections were in Ukraine, with Germany second hardest hit with about 9 per cent.
“NotPetya became ‘the most economically damaging cyber attack of all time’ by using EternalBlue to enter and exploit Windows-operated machines with unpatched security,” explained Lawrence Perret-Hall, director at CYFOR Secure.
“The most crucial takeaway here is that, while small businesses may think they are exempt from becoming targets of such large-scale attacks, a ransomware breach is always possible – a fact only exacerbated by the war in Ukraine and tensions between the West and Russia.”
The over $10 billion in damages inflicted on victims of NotPetya makes the attack one of the largest incidents in cyber history, and came just weeks after the WannaCry ransomware attack.
Supporting quick remediation
To minimise damage, businesses should look to a strong business continuity strategy, that would ideally include incident response, backup and recovery.
Perret-Hall continued: “Both backups and staff training are efficient, cost-effective and proactive ways that organisations can better safeguard themselves from ransomware and assist with recovery in the event of an attack.
“A blend of small and frequent, full, and long-term backups offer more substantial protection when implemented in tandem with encrypted, offsite storage. Meanwhile, regular staff training initiatives help to emphasise the importance of cyber security across the entire organisation and highlight simple and easy ways to implement better cyber hygiene on a day-to-day basis.
“However, having an incident response (IR) plan and business continuity playbooks to support with quick remediation following the event of an attack is crucial. In cyber security, it’s not a question of ‘if’ but ‘when’, and organisations need to have the resource and the expertise readily available to combat an attack quickly and efficiently when it inevitably occurs.”
Active Directory recovery
The NotPetya attack acted as a wake-up call for organisations of all sectors, highlighting that viruses never discriminate on corporate, political, or geographic aspects. This means that your business can possibly become collateral damage when a partner is attacked.
NotPetya particularly affected Active Directory, the database that connects users with network resources. With this vital part of company infrastructure becoming encrypted, operations shut down in droves.
“Some of the biggest damages were suffered by shipping giant Maersk – 45,000 computers got encrypted, including all but one of their Active Directory Domain Controllers, and lucky for them because, as one Maersk IT staffer mused; ‘If we can’t recover our domain controllers… we can’t recover anything’,” said Brian Hymer, solutions architect at Quest.
“Maersk learned that the recovery of Active Directory is not only critical, but uniquely challenging. Organisations must ensure they have a dedicated AD recovery plan in place to get their business back up and running as quickly and securely as possible.
“Unlike conventional weapons, cyber weapons can essentially be picked up and repurposed by the enemy, and companies need to be prepared for recovery, by prioritising, planning, and testing at least annually, especially as there’s always the possibility that some vulnerabilities cannot be patched.”
A security-first culture
Jones said: “NotPetya formed the start of what we can only describe as a ransomware crisis, ushering in an age of increasingly frequent and damaging cyber attacks.
“Not only has NotPetya been labelled a ‘watershed moment’ for the cyber insurance market – catalysing the growing rigidity of clauses and rise in premiums – but, along with countless ransomware attacks that have followed in its wake, has left organisations across all industries at risk of a critical attack.
“But in a climate where risk transference with cyber insurance is no longer a readily available form of cyber protection, how can businesses best protect themselves from ever-growing ransomware threats?
“A ‘security-first’ cultural shift must occur within organisations to reach a point where cyber security is accepted as a company-wide issue and responsibility. Working towards this with regular training programs and phishing simulations to educate and train employees, businesses can also be proactive with threat detection and mitigation.”
Microsoft outage: why enterprises need to prioritise machine identity management — In the wake of Microsoft forgetting to update its Windows Insider subdomain certificate over the weekend, we look at how machine identity management can help enterprises avoid an outage.
Overcoming the biggest cyber security staff challenges — Andrew Rose, resident CISO EMEA at Proofpoint, discusses the biggest cyber security staff challenges facing organisations, and how to overcome them.