The Petya/NotPetya Ransomware Attack

Here we go, again! In the aftermath of the WannaCry ransomware attack in May, on June 27, a “copycat” entity identified as Petya/Not Petya perpetuated a ransomware-style worm that exploited the known Microsoft Windows vulnerabilities EternalBlue and DoublePulsar. The EternalBlue exploit is generally believed to have been developed by the U.S. National Security Agency (NSA), and was also used by the WannaCry ransomware. As with WannaCry, this attack also affected computer systems worldwide, quickly spreading to at least 60 countries. Several large businesses, transportation networks, public utilities, and government agencies in Europe and the United States were hit.

This attack was initially focused in the Ukraine and Russia. ATMs at the National Bank of Ukraine were disabled across the country, and systems used to monitor radiation at the former Chernobyl nuclear power facility were interrupted. Rosneft, the largest oil company in Russia, was also attacked. Petya/NotPetya spread like WannaCry, hitting one of the world’s largest container shipping companies, Copenhagen-based A.P. Moller-Maersk, as well as WPP in London, one of the world’s largest advertising agencies. Entities in France, Spain, and the United States were also attacked.

Like WannaCry, Petya/NotPetya encrypted hard drives and the message from the attackers demanded a ransom of $300 to be paid in the form of bitcoin. The verbatim read, “If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Differences between WannaCry and Petya/NotPetya

Petya/NotPetya was more sophisticated than the WannaCry worm in its scope, resistance to neutralization, and range of targets. This attack spread rapidly within organizations using common IT administration tools, which are not recognized as malware by typical security defenses. The Petya/NotPetya worm appeared to have hit a third-party software vendor. Such approaches, which have historically involved targeted intrusions, now appear to have spread to the large-scale global malware attack spectrum.

Unlike WannaCry, unfortunately, there is apparently no “kill switch” embedded in Petya/NotPetya. Thus, the potential to recover lost data by paying the requested ransom is clearly in doubt. The low amount of the initial ransom (which falls in the WannaCry ransom request range) and the attackers’ inability to be contacted has caused confusion over the origin and purpose of the attack. It is still not clear whether State actors or freelance blackmailers (or a combination of both) are responsible. The fact remains that the only known method for retrieving the data encrypted by Petya/NotPetya is from a backup copy.

To date, most ransomware has been able to avoid detection because these strains are zero-day exploits unknown to signature-based anti-virus software. Their creators research anti-virus solutions to uncover the weaknesses they can exploit to avoid discovery. Ransomware distributors generally encrypt their software to help shield it from detection.

SAP Recommendations for Broader Cybersecurity Protections

Obsolete versions of Microsoft Windows continue to reveal their vulnerability to these attacks. Clearly, our customer organizations should already have or should now be taking steps to update their Windows operating systems. If they cannot eliminate outdated, unpatched Windows systems, segmenting their networks to reduce the available attack surface is recommended.

Petya/NotPetya spread within organizations using the administrative tools Windows Management Instrumentation Command-line (WMIC) and PsExec. The exploitation of these and other common IT admin tools by attackers allow malware to move undetected within networks. Their use in a widespread, automated global attack is a fresh approach. This fact underscores the urgency of implementing threat detection and response solutions—such as SAP Enterprise Threat Detection—and leveraging trained cybersecurity staff and experienced partners to help identify and contain the Petya/NotPetya type of attack.

In addition, frequent backups and comprehensive system recovery plans will help sustain business continuity. Critical data and programs should be backed up in a manner that will enable rapid recovery with the expectation of continued forms and unknown sources of cyber attacks. This holds true across the spectrum of cybersecurity attacks and intrusion threats.

SAP customer organizations should continue to focus on the imminent security risks posed by third parties, review their risk management processes, and institute necessary controls that will help mitigate potential damage. To this end, the SAP Secure Operations Map can be a powerful tool to manage a comprehensive approach to cyber security.

We now face a globally interconnected digital environment that is subject to the threat of sudden and costly cyberattacks from highly sophisticated organizations. SAP’s comprehensive GRC & Security solutions portfolio offers powerful tools for encryption, threat definition, identification, analysis, and protection in SAP and non-SAP systems.

Please investigate the extensive range of SAP Security offerings and continue to enjoy all of the blogs in our GRC series , including my previous blog, GRC Tuesdays: It Makes You Wanna cry – Improving Cybersecurity in the Aftermath of the World’s Largest Ransomware Attack.