Wow. If only there were some way to defeat these terrible cyber attacks. Imagine if there were some kind of discipline, let’s call it cyber security, that contained steps we could follow to prevent malware from causing massive system outages like this.
While some news outlets have branded the latest Petya/NotPetya malware-based cyber attack as powerful and unprecedented, the reality is that only the organizations with gaping holes in their security basics were taken down. It just goes to show that no organization can afford to ignore these basic cyber steps:
- Apply the latest manufacturer supplied software patches, especially to operating systems, preferably within 24 hours of their release.
- Ensure that any information of value is securely backed up to a safe place on a regular basis.
- Make sure you run with one of the anti-malware solutions that is actually preventing these attacks from operating. For example, I noticed my AI anti-malware defeated the problem again!
So – yes – if you did those things above you would have been pretty much protected from this ransomware. But wait – is this really ransomware?
At first glance, this new malware looks like it is ransomware because it goes about encrypting files and making an empty offer to restore files in return for a payment – but that ransom payment route was swiftly blocked (the email address to send and receive the unlock key was disabled). This latest attack may be dressed like ransomware but that certainly is not the real intent.
In fact, this malware is really insidious. Like some superbug, it contains a combination of anumber of different nasty components. It is not only encrypting files, but also appears to have learned from WannaCry that if you blend a lot of recent and powerful exploits, you can likely catch organizations that are slow at patch management and security response without the right countermeasures in place. Security firms are still analyzing how this malware operates, but it has been identified that it includes worm capabilities to spread within networks and is also likely to be found to be doing some credential scraping – actually stealing username and password details.
About a week ago, I retweeted this post from New York Times journalist Nicole Perlroth. That article seems to have disappeared for now – however, it did seem to point to an early version of something that sounded and looked a lot like this latest malware attack. The attack recipient was running network recording and was able to identify that the so-called ransomware was not only trying to encrypt files – but also had set about trying to steal credentials.
In my ISACA Now blog post six weeks ago, I suggested that WannaCry should have been a watershed moment. I firmly believe that it was and that this latest attack will have proven beyond any doubt that any organization of any reasonable size that thinks it can run without following all of the basic security practices is having to change its mind. There may still be some organizations that keep running unpatched, unsupported software – but I think it would be fair to estimate that they are not likely to stay operational for much longer at the rate that the current security threats are evolving.
These are not malware attacks that are using previously unknown and sophisticated exploits – these are attacks that are downright easy to defend against. However, these attacks are also showing just how well armed the major nation-states are likely to be because both WannaCry and NotPetya have used powerful cyber exploits alleged to have been stolen from the NSA. If there are other unknown (zero day) exploits with this kind of power, it may only be a matter of time before just applying basic cyber security practices may no longer be enough.
One thing is for certain – for organizations that want to stay in business, it is time to get all of the basic cyber security practices right.
Author’s note: Since writing this blog post, the NotPetya malware has now been confirmed to work as wiper malware, fully destroying the data on any device it successfully infects. Cutting the power to an infected device very early on can allow files to be recovered off the disk by not booting the machine but recovering the files from the disk. Although masquerading as ransomware, it has been confirmed by multiple security experts that the actions of the NotPetya malware are intended to wipe devices beyond any potential data recovery.