Preparing For and Responding to the Petya Ransomware Attack
By Allen O'Rourke
While still reeling from last month’s WannaCry attack, organizations worldwide were hit with another global ransomware attack yesterday, June 27, 2017. The infection began inside the Ukraine but has quickly spread across four continents and over 65 countries, affecting many thousands of computers. The growing list of corporate victims includes a large Danish shipping company, the biggest advertising agency worldwide, a French construction material company, Russia’s largest oil producer, a major U.S. pharmaceutical company, and a multinational law firm. Numerous public and private institutions in the Ukraine are also affected, including everything from bank ATM’s to the Chernobyl Nuclear Power Plant.
Variously called “Petya,” “GoldenEye,” “Petrwrap,” and “NotPetya” by different cybersecurity researchers, the current cyberattack’s malware is an offshoot of earlier Petya ransomware that began circulating last year. The new Petya variant encrypts a computer’s hard drive – making it inoperable – and demands $300 in Bitcoin to regain access. Victims are instructed to make payment into a specified Bitcoin wallet and then email confirmation to wowsmith123456@posteo.net – although that email account has now been deactivated by German email provider Posteo. About 36 ransom payments were made on June 27, 2017 – according to Blockchain analysis – but by the following morning no one had reported regaining access to infected computers.
Petya ransomware appears similar to WannaCry but more resilient and destructive. It uses wormlike propagation to spread quickly across a computer network and has multiple attack vectors in addition to the “EternalBlue” exploit to Windows that WannaCry used, such as Word documents laced with malicious macros and compromised updates for accounting software called “MeDoc.” Unfortunately, Petya contains no known “kill switch” similar to what curtailed WannaCry’s spread. As Wired’s Lily Hay Newman put it, “while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.”
Petya’s ongoing threat reflects a new reality for businesses today. With periodic leaks of alleged NSA hacking tools such as EternalBlue, cheap “Ransomware as a Service” being offered on dark web forums, and well-funded cybercriminal groups linked to organized crime and foreign governments, we are just going to see more and more ransomware and other cyberattacks targeting business operations and infrastructure. In other words, today’s cybercrime targets not only sensitive data stored on computers but also the integrity of computer systems that we rely upon every day.
Accordingly, business leaders and corporate officials such as in-house counsel need to be informed and prepared. Even after weathering a ransomware attack, an organization may still face expensive regulatory enforcement actions and civil litigation, not to mention reputational damage and lost business. With that in mind, the following are some basic action items to consider in preparing for and responding to ransomware attacks:
Preparing for Ransomware
While still reeling from last month’s WannaCry attack, organizations worldwide were hit with another global ransomware attack yesterday, June 27, 2017. The infection began inside the Ukraine but has quickly spread across four continents and over 65 countries, affecting many thousands of computers. The growing list of corporate victims includes a large Danish shipping company, the biggest advertising agency worldwide, a French construction material company, Russia’s largest oil producer, a major U.S. pharmaceutical company, and a multinational law firm. Numerous public and private institutions in the Ukraine are also affected, including everything from bank ATM’s to the Chernobyl Nuclear Power Plant.
Variously called “Petya,” “GoldenEye,” “Petrwrap,” and “NotPetya” by different cybersecurity researchers, the current cyberattack’s malware is an offshoot of earlier Petya ransomware that began circulating last year. The new Petya variant encrypts a computer’s hard drive – making it inoperable – and demands $300 in Bitcoin to regain access. Victims are instructed to make payment into a specified Bitcoin wallet and then email confirmation to wowsmith123456@posteo.net – although that email account has now been deactivated by German email provider Posteo. About 36 ransom payments were made on June 27, 2017 – according to Blockchain analysis – but by the following morning no one had reported regaining access to infected computers.
Petya ransomware appears similar to WannaCry but more resilient and destructive. It uses wormlike propagation to spread quickly across a computer network and has multiple attack vectors in addition to the “EternalBlue” exploit to Windows that WannaCry used, such as Word documents laced with malicious macros and compromised updates for accounting software called “MeDoc.” Unfortunately, Petya contains no known “kill switch” similar to what curtailed WannaCry’s spread. As Wired’s Lily Hay Newman put it, “while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.”
Petya’s ongoing threat reflects a new reality for businesses today. With periodic leaks of alleged NSA hacking tools such as EternalBlue, cheap “Ransomware as a Service” being offered on dark web forums, and well-funded cybercriminal groups linked to organized crime and foreign governments, we are just going to see more and more ransomware and other cyberattacks targeting business operations and infrastructure. In other words, today’s cybercrime targets not only sensitive data stored on computers but also the integrity of computer systems that we rely upon every day.
Accordingly, business leaders and corporate officials such as in-house counsel need to be informed and prepared. Even after weathering a ransomware attack, an organization may still face expensive regulatory enforcement actions and civil litigation, not to mention reputational damage and lost business. With that in mind, the following are some basic action items to consider in preparing for and responding to ransomware attacks:
Preparing for Ransomware
- Maintain a backup copy of your organization’s computer system that can be used in the event that your system becomes encrypted by ransomware.
- Identify operating systems and software in your network that may be vulnerable and install appropriate security patches. Also implement measures to ensure that new security patches are promptly installed going forward.
- Deploy updated antivirus software and consider using automated software tools to detect and mitigate cyberattacks.
- Develop or update your organization’s incident response plan to address ransomware. This includes not only planning for rapid investigation, containment, and remediation of an attack, but also planning for business continuity, public relations, cybersecurity insurance, and legal compliance implications.
- Establish contacts with law enforcement, outside counsel, a cybersecurity remediator, your insurance company, and anyone else with whom you will need to coordinate when responding to a ransomware attack.
- Implement ongoing training of computer users on basic cybersecurity hygiene, including not clicking on suspicious links or opening suspicious email attachments.
- Wherever possible, incident response measures should be taken at the direction of counsel in order to preserve attorney-client privilege and minimize legal risk.
- Work with a cybersecurity remediation company to rapidly contain and remediate the ransomware attack. Among other things, this might include disabling the infected computer, restoring backup files, or counteracting the ransomware.
- Fully investigate the ransomware attack, engage with law enforcement as appropriate, and implement cybersecurity measures to defend against additional follow-up attacks.
- Ensure that key stakeholders stay informed, including corporate executives and boards of directors.
- Determine the extent of harm to data subjects and consumers, comply with applicable breach notification obligations, and take other steps to minimize legal risk.