A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain.
Why Petya, like WannaCry, Signals a New Era of Cybercrime
Petya and WannaCry are the tip of the iceberg in a new era of global, distributed cyber attacks that are affecting all industries and geographies. If organizations are not preparing for this new reality, they’ll likely soon be stung by it. The good news is that most distributed cyber crime attacks can be prevented or disrupted with good cyber–hygiene and vulnerability and threat management practices that consider what is happening in the wild. The challenge, though, is doing that across an enterprise–scale network with limited resources.
“There are several reasons why organizations fall victim to attacks like Petya and WannaCry, but chief among them is the issue of complexity,” says Ravid Circus, VP of Products for Skybox Security. “Every organization in the world is grappling with complexity. Sprawling networks with millions of assets and vulnerabilities, mobile devices, disconnected security controls, hybrid and multi–cloud environments, legacy systems that are outdated, and a threat landscape that is always changing. Most companies don’t have the tools or timeto examinethe complex relationships between these things, or to orchestrate the response to the risks demanding immediate attention. To protect against attacks like Petya and WannaCry, security pros need to rethink their approach, starting with gaining complete visibility of their attack surface and exposures. They should also be automating everything from risk assessments to analysis to remediation priorities. We’ve seen how quickly Petya can spread; relying on manual methods to combat it is from now on out of the question.”
“While Petya fits in the new echelon of global, distributed ransomware, it preys on classic cyber security weaknesses — known vulnerabilities with known exploits,” added Ravid. This tells us many current vulnerability management programs aren’t built to tackle today’s threats. Organizations struggle to understand their network and security gaps and which issues demand immediate attention, like vulnerabilities used in active attack campaigns. They fundamentally need to gain visibility over their network — physical and multi–cloud networks, operational technology and mobile devices — and correlate that information with vulnerability and threat intelligence. With this context, they can quickly understand where their risks lay, how they could be exploited, what issues take priority and how best to fix them.”
The fact that Petya is using the same EternalBlue exploit as WannaCry with widespread success shows just how much current security approaches aren’t working. If these vulnerabilities weren’t patched or mitigated on every machine when WannaCry hit, organizations are probably kicking themselves today. But unless your vulnerability management strategy is to go after vulnerabilities exposed in your network or exploited in the wild, then efforts are likely going in the wrong place.
Marina Kidron, head of Skybox Security’s Research Lab says, “If they didn’t heedWannaCry’s warnings, organizations need to take Petya as a wakeup call to the new reality of global, distributed cybercrime. It aims to take money from as many victims as possible, maximizing the ROI of their exploits, tools and services. Part of Petya’s proliferation is enhanced on providing ransomware–as–a–service (RaaS) to low–skilled attackers. So EternalBlue and the vulnerabilities it exploits are likely going to be reused over and over and over again by Petya or whatever the next incarnation is of distributed crimeware. Prioritizing efforts to focus on these and other vulnerabilities exploited in the wild — or vulnerabilities that attackers can reach within your network — will provide the best ROI, so to speak, for your vulnerability management resources.Having said that, the threat landscape is always changing and so organizations must also systematically address potential threats over time, before they become the next Petya.”
Everyone from businesses to government to critical infrastructure are undoubtedly concerned about ransomware attacks like we’ve seen with WannaCry and now Petya. These distributed attacks know no vertical — anyone is a target. The sticking point, especially for critical infrastructure that is focused on continuous uptime, is where preparing for these attacks falls on the priorities list; with the Petya outbreak targeting these types of organizations, presumably it just moved up a few slots.
The Petya and WannaCryransomware attacks occurring in relatively close succession tell us that global, distributed ransomware is likely only ramping up. And it appears Petya is learning from its earlier variants’ and WannaCry’s mistakes. Cybersecurity needs to do the same. For critical infrastructure organizations that are dealing with mass–scale complexity between IT and OT networks, gaining visibility to the network paths and access between those environments is crucial. Petya like WannaCry is using network connectivity to its advantage. Just because your IT and OT data or processes might be siloed doesn’t mean an attacker views these environments that way. Understanding how to effectively segment your organization, control access and neutralize threats posed by vulnerabilities is more important now than ever.