Article by Rich Curtiss, Managing Director at Clearwater Compliance, Originally published on Becker's Health IT & CIO Review on July 6, 2017
The latest world-wide cyber event was touted as another Ransomware attack of the WannaCry variant. To reorient, WannaCry is a malware package in the Ransomware category.
Ransomware is, typically, employed by cyber-criminals for financial gain. The WannaCry threat leverages the ETERNALBLUE propagation tool, ostensibly created by the National Security Agency, to exploit the SMB vulnerability. The entire package is delivered through a “phishing” email or a compromised website to an unsuspecting user. Once the attachment is downloaded, the Wannacry portion will “take over” the computer, encrypts the hard drive with a specialized cryptographic algorithm that uses a “key” for decryption. The only one with the key is the organization which is seeking a ransom to provide the decryption key. This ransom is exclusively enabled by the use of something called a “cryptocurrency” such as BitCoin. If the victim acquiesces to the ransom demand, they may or may not receive the decryption key. There is no honor among thieves, as they say.
The latest attack was, initially, dubbed a Petya attack. Petya is another variant in the Ransomware family. This attack had all of the hallmarks of the previous WannaCry exploit but was soon determined to be significantly different. While it exploited the same SMB vulnerability with the ETERNALBLUE propagation tool, the notPetya malware was meant to disable computer systems and not seek financial gain. This leads many to postulate that this was a “nation-state” attack and not a cybercriminal venture. The Ukraine was the initial target but notPetya quickly moved from system to system across multiple countries. NotPetya employed a feature called a “worm” so that once an information system was compromised, the malware would spread quickly across the system and any other connected systems. Some organizations shut down operations to avoid further internal spread and potential infections of their third-party associates.
Most researchers have come to the conclusion that the Petya package was a “wiper” form of malware and not a “ransomware” exploit. Hence, the name “notPetya.” The malware is packaged or disguised to look like Ransomware but, in fact, wipes the hard drive by destroying the master boot record and leaving the computer completely disabled. It does not encrypt the drive, which means there is no decryption key. The “link” to pay the ransom is inactive.
Malware attacks are not going away and getting more inventive and sophisticated. This makes it an imperative that organizations take proactive measures to identify, prevent, detect, respond and recover from cybersecurity incidents including malware attacks. These functions are identified in the NIST Cybersecurity Framework and include, but are not limited to:
• Thorough Information Risk Management using the NIST Risk Management Framework
• Timely patching of operating systems and applications
• Updating end-of-life operating systems and applications (i.e. Windows XP)
• Robust, encrypted and frequent system back-ups
• Comprehensive and frequent security training and awareness for workforce members
o Phishing campaigns can be very effective
• Information System Security Incident Monitoring and Response
• Centrally monitored and frequently updated anti-malware platform
• Testing of Business Continuity and Disaster Recovery Plans including back-up restoration
Application of these safeguards and countermeasures will go a long way to keeping your organization safe and providing protection from most malware exploits.