What’s the latest threat that keeps security administrators awake at night these days? Chances are, that the most definitive answer would be either “WannaCry” or “Petya”, or both.
But why are these two breeds of malware so fearsome? What’s different and so dangerous about them that CISOs of large, medium and small organizations alike find them challenging? Let’s have a look.
Understanding Petya and WannaCry
Petya and WannaCry are malware that caused a significant havoc across the world in 2017. What makes them particularly insidious is that they are a ransomware. True to the name, ransomware works by encrypting and thus locking up the files on a victim’s computer and then claiming a ransom for their release through a decryption key.
Ransomware works through asymmetric key cryptography- a technology that is impossible to crack. Without the knowledge of the decryption key, the victim cannot recover their files.
The WannaCry Ransomware attack began on 12th May 2017 (Fri) and within a day it managed to infect over 200,000 computers in 150 countries making it the biggest ransomware attack in history. The U.S. National Security Agency (NSA) reportedly discovered an underlying vulnerability (MS17-010) in Microsoft’s Sever Message Block (SMB) protocol (“used by Windows machines to communicate with file systems over a network.”). The NSA chose not to inform Microsoft about this vulnerability and instead built an exploit called EternalBlue which could be used for intelligence-gathering purpose. A hacking group called Shadow Brokers stole the details of this exploit and leaked them in public which ultimately went on to trigger the WannaCry outbreak worldwide. Microsoft had already released a security update to patch this vulnerability in March 2017, but many users and organizations failed to apply this update, exposing their systems to the attack.
Petya began its infamous journey just about six weeks after WannaCry, sometime in late June 2017. It is suspected to have originated from Ukraine. The attack appears to have been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government use. It used the same vulnerability which WannaCry Ransomware had exploited to spread.
The impact of WannaCry and Petya on organizations across the globe
The impact of losing access to critical files- ranging from photographs to emails to databases, can be devastating to the business operations of any enterprise, large or small. Typically, recovering from a ransomware attack can be a nightmare that can extend from days to weeks, with considerable impact to the company’s revenues and reputation.
WannaCry started spreading like wildfire around 12th May 2017, infecting large and small companies across the globe with some prominent organizations like the UK’s National Health Service (NHS) and FedEx in the US, being impacted. Overall, more than 300,000 computers were affected globally. WannaCry locked the computers’ files and a ransom demand appeared on their locked screens, with a countdown timer indicating that their time was running out and if the ransom wasn’t paid, the key would be destroyed permanently.
Petya similarly demanded a ransom of $300 in Bitcoins, and locked the computer down, with only the ransom demand screen showing up. The shipping giant Maersk, the advertising company WPP, law firm DLA Piper, energy company Rosneft, and food giant Modelez were among the prominent ones who admitted that their systems had been compromised by Petya. However, many others suffered.
How to avoid or minimize the impact of WannaCry and Petya?
Ransomware has been around for a long time, but it has gained more teeth now with the availability of Bitcoin-based payment methodology which is ‘safe’ for the attackers to collect the ransom without being traced. Another reason for their resurgence is the availability of ‘malware as a service’ business model where those without much technical knowledge can work as distributors of the malware, in a ‘revenue share’ model.
As always, prevention is better than cure. With proper security practices including applying all the security patches in a timely manner, and installing appropriate security mechanisms, companies can reduce cyber threat to their systems. Using multi-layered security tools like Seqrite’s comprehensive portfolio of Firewall, network and endpoint security tools, the malware can be prevented from infecting the enterprise’s systems in the first place. In an unfortunate event of being infected, there are secure recovery mechanisms using the backup and data restore feature.
WannaCry and Petya are more insidious and damaging than all the malware attacks that have happened so far; but they are not difficult to prevent. Proper security mechanisms and tools can be used and applied in a judicious manner to prevent their entry, control their spread, and minimize their impact.