Petya (NotPetya)

Petya is a family of encrypting malware that infects Microsoft Windows-based computers. Petya infects the master boot record to execute a payload that encrypts data on infected a hard drives’ systems. The data is unlocked only after the victim provides the encryption key, usually after paying the attacker a ransom for it.

Though first discovered in 2016, Petya began making news in 2017 when a new variant was used in a massive cyberattack against Ukrainian targets. It quickly spread worldwide, crippling businesses and causing more than $10 billion in damages.^[1]

The new variant, also dubbed “NotPetya” because of key differences with the original, spread using an exploit known as EternalBlue. The exploit was developed by—and later stolen from—the U.S. National Security Agency (NSA). Once on a compromised system, EternalBlue exploits a flaw in Windows networking protocols to silently spread across networks. Unlike most malware, NotPetya infected new systems without the user doing anything. That behavior made NotPetya more like a “ransomworm” than a traditional virus.

NotPetya was narrowly targeted, though quickly grew into a wider threat. And despite displaying the usual signs of a ransomware attack—such as the ransomware demand—wasn’t designed to actually collect any money. Those traits led researchers to conclude that the virus was a state-sponsored destructive attack, not an act of cybercrime.

According to the Ukrainian police, the NotPetya attack started by subverting the update function of that government’s accounting software. A second wave of attacks spread through malware-laden phishing emails.^[2]

Though it exploited the same flaw as an earlier ransomware strain called WannaCry, it had more options for spreading itself. That made NotPetya much more resilient to cyber defenses. At the same time, it wasn’t designed to spread beyond the initially infected environment. This limited the spread and is consistent with the theory that NotPetya was a narrowly targeted attack rather than a cyber criminal’s cash grab.

Once it has infected a system, Petya waits about an hour before rebooting the machine. It then displays the text “Repairing file system on C:” and warning users not to turn off their computers. As users wait, Petya is actually encrypting their files. Finally, the system reboots again, displaying the ransom demand.

The NotPetya ransom, however, is nearly impossible to pay. The attackers’ contact email was hard-coded to a webmail address that was quickly shut down. So there’s no way for victims to send the money or get the decryption key.

Like most ransomware, Petya is difficult to remove after it has infected a system. In most cases, the victim has to decide whether to pay the ransom (in hopes of actually getting the encryption key) or erasing everything and restoring it from backup. The best approach to avoid ransomware altogether. Here’s what to do before, during and after an attack.

Before the Attack

The best security strategy is to avoid ransomware altogether. This requires planning and work—before the crisis hits.

• Back up and restore
  The most important part of any ransomware security strategy is regular data backups. Surprisingly few organizations run backup and restore drills. Both halves are important; restore drills are the only way to know ahead of time whether your backup plan is working.
• Update and patch
  Keep operating systems, security software and patches up to date for all devices.
• Train and educate users
  Employee training and awareness are critical. Your people should know what to do, what not to do, how to avoid ransomware, and how to report it. If employees receive a ransomware demand, they should know to immediately report it to the security team—and never, ever try to pay on their own.
• Invest in robust people-centric security solutions
  Even the best user training won’t stop all ransomware. Advanced email security solutions protect against malicious attachments, documents, and URLs in emails that lead to ransomware.

During the Attack

Contain the Damage and Get Back to the Business

While the best ransomware strategy is to avoid it in the first place, this advice means nothing if you’re newly infected.

You have short-term problems to resolve, like getting computers, phones, and networks back online, and dealing with ransom demands.

• Turn the computer off and disconnect from the network
  Petya waits about an hour after infecting a system before rebooting and displaying a message that the file system is being “repaired.” If the machine is turned off immediately, some files may be saved, experts say.^[2]
  
  The moment employees see the ransomware demand or notice something is odd, they should disconnect from the network and take the infected machine to the IT department.
  
  Only the IT security team should attempt a reboot, and even that will only work in the event it is fake scareware or run-of-the-mill malware.
• Call law enforcement
  Ransomware is a crime—theft and extortion are in play. Notifying the proper authorities is a necessary first step.
• Determine scope of problem based on threat intelligence
  Your response—including whether to pay the ransom— hinges on several factors:
  • The type of attack.
  • Who in your network is compromised.
  • What network permissions any compromised accounts have.
• Orchestrate a response
  A big part of your response is deciding whether to pay the ransom. The answer is complicated and may require you to consult law enforcement and your legal counsel. In some cases, paying may be unavoidable.
• Don’t count on free ransomware decryption tools
  Most free tools work for only a single strain of ransomware or even a single attack campaign. As attackers update their ransomware, the free tools fall out of date and likely won’t work for your ransomware.
• Restore from Backup
  The only way to completely recover from a ransomware infection is restoring everything from backup. But even with recent backups, paying the ransom might make more financial and operational sense.

After the Attack

Review and Reinforce

We recommend a top-to-bottom security assessment to find threats that may still linger in your environment. Take a hard look at your security tools and procedures—and where they fell short.

• Cleanup
  Some ransomware contains other threats or backdoor Trojans that can lead to future attacks. In other cases, the victim’s environment was already compromised, opening a door for the ransomware.
  
  Look closer for hidden threats that you may have overlooked in the chaos.
• Post-mortem review
  Review your threat preparedness, the chain of events that led to the infection, and your response. Without figuring out how the ransomware attack got through, you have no way of stopping the next attack.
• Assess user awareness
  A well-informed employee is your last line of defense. Make sure employees, staff or faculty are up to the task.
• Education and training
  Develop a curriculum to address employee vulnerability to cyber attacks. Create a crisis communications plan in the event of a future attack, and follow-up with drills and penetration testing.
• Reinforce your defenses
  Today’s fast-changing threat landscape requires security solutions that can analyze, identify and block—in real time—the malicious URLs and attachments that serve as ransomware’s primary attack vehicles.
  
  Seek out security solutions that can adapt to new and emerging threats and help you respond to them faster.

[1] Andy Greenberg (Wired). “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”
[2] Olivia Solon and Alex Hern (The Guardian). “‘Petya’ ransomware attack: what is it and how can it be stopped?”