Some of the companies impacted included international pharmaceutical giant Merck, global law firm DLA Piper, global shipping company Maersk, and a number of Ukrainian governmental agencies.
This new strain of ransomware — apparently a variation of the “Petya” strain of ransomware — utilizes the same exploit as WannaCry, which was the ransomware used in a global attack on May 12 that hit more than 200,000 machines in 150 different countries, including Russian government officials and the United Kingdom’s National Health Service.
Petya is particularly virulent. Petya spreads from machine to machine using a backdoor known as “Eternal Blue,” which was reportedly developed by the National Security Agency (NSA). The vulnerability was released “into the wild” by a still-unknown group called the “Shadow Brokers,” who claim that they stole “Eternal Blue” and other powerful cyberweapons from a vulnerable NSA server in 2016.
Petya and WannaCry prey on users who are running unpatched and older “legacy” systems such as Windows XP, Windows 8, and Windows Server 2003.
Even though Microsoft released an update patching the Eternal Blue vulnerability months prior to the WannaCry attack, many victims across the world still have not installed the critical updates or may be in large institutions that roll out software updates slowly.
So, what do you do if you get ransomware? First, as all victims have surely realized, they have two choices: pay or don’t pay. To aid in this decision, consider the following insights:
Many ransomware outfits are professional and follow the economics of game theory. If a victim of ransomware pays, but the hackers do not decrypt the data, word will spread and people will stop paying the ransom. While this may not be the case with smaller outfits and individual “ransomware as a service” users, the larger players tend to hold up their end of the deal.
To the extent possible, victims may try to research the strain of ransomware before paying.
Early reports indicate that the email address set up by the perpetrators behind the Petya attack was shut down. This means that the decryption key cannot be sent to the victims and paying the ransom would be meaningless unless a new email address is set up.
Second, victims should determine what data is stored on the computer hit by ransomware. While ransomware attacks generally don’t include sensitive data being accessed or stolen, after the incident has concluded, victims should conduct a network investigation to determine if a data breach occurred. The existence of only one email address to send out decryption keys indicates the Petya attackers may have been using the ransomware attack as a cover for a larger attack, rather than for monetary gain.
How do you prevent ransomware? Businesses are woefully unprepared to defend against dedicated attackers. Fortunately, users can harden themselves against ransomware by following a few simple rules.
First, never click on links or attachments in emails that you were not expecting.
Second, always run security updates and install patches regularly. Very advanced malware usually spreads through vulnerabilities. Installing patches and updates is critical to thwarting ransomware attacks.
Third, consider purchasing cyber insurance. Many businesses don’t realize that unless they have special coverage, most insurance policies will not cover data breaches, cyberattacks, loss of customer data, or ransomware incidents.
Fourth, use backups on-site or in the cloud. Granted, using cloud backup requires users to place their trust in a third party that may itself be vulnerable to attacks.
Fifth, take proactive measures. The time to adopt proactive cybersecurity measures, such as the 2014 NIST Cybersecurity Framework, is before ransomware strikes.
When a data breach or cyberattack occurs, many cybersecurity experts agree that a victim’s first call should be to a data breach lawyer, who can coordinate with law enforcement, serve as a point person for network investigations, and assist with obtaining insurance coverage and determining legal reporting requirements.