Lessons gleaned from the notorious ransomware of 2017 are now textbook material, but is the world really more secure for it?

On Saturday, 27 June 2020, the infamous ransomware NotPetya will be three.

That same date 2017, more than 80 companies were initially attacked, including the National Bank of Ukraine. It has been estimated that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. Experts believed this was a politically-motivated attack against Ukraine, since it occurred on the eve of the Ukrainian holiday Constitution Day.

The malware spread like wildfire across the world, affecting thousands of computers, extracting data and demanding ransom to be paid in Bitcoins. Hospitals, manufacturers and more were victimized, creating billions of dollars of losses worldwide.

Reminiscing on this major shock in world history, Amir Preminger, VP of Research at cybersecurity firm Claroty, noted: “It’s important to remember the far-reaching impact of NotPetya would not have been possible if the ‘wormable’ EternalBlue exploit vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol had not been publicly disclosed. Coupling together that vulnerability and a brute-force approach of infecting an accessible IP created the perfect conditions to make NotPetya infamous.”

Has the world woken up since?

In the aftermath of NotPetya, ransomware is still thriving specifically within businesses that cannot patch or don’t have the visibility to identify vulnerable computers in their unmanaged networks. Nevertheless, many organizations have reduced or even minimized the attack surface of their network to make cross-network infection more difficult.

“To cope with this adaptation, adversaries adopted a new approach to ransomware, decoupling the insertion point from the actual encryption and ransom act. In this approach, an advanced persistent threat (APT) attack is used to deliver the ransomware without revealing the vulnerability used to enter the network. This can enable the attacker to extend the shelf life of the vulnerability used, which is the expensive part in the business model of ransomware campaigns,” said Preminger.

Three years later, the most important takeaway regarding NotPetya is how the following conditions allowed it to wreak havoc at the time, and how far we have gone to learn from them:

  1. Lack of patching: This is still a major concern.
  2. Poor network segmentation: The practice has improved, but still has some ways to go.
  3. Poor network visibility: Organizations must have visibility into which vulnerabilities are present within their network so they can fully understand their exposure. With ‘wormable’ vulnerabilities, timing is key. Enterprises need to know as quickly as possible which devices are vulnerable, and based on their patching capabilities, may decide to patch or block problematic traffic, or just take the risk and leave vulnerabilities unpatched.
  4. Insufficient monitoring capabilities: Known when something is spreading in your network, which is arguably, too late.

Preminger concluded: “The foundation of the next NotPetya is still being created, so discovering and patching vulnerabilities before threat actors have the chance to exploit them on a large scale is essential for preventing similar attacks.”