Less than 6 weeks after the WannaCry attack, a new ransomware called “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows — the same bug that was exploited in May.
How to Protect Yourself against Petya ransomware and why Ukraine was the first target?
Dr. Ulrich Lang, CEO of ObjectSecurity explains exclusively for IIoT World:
“First things first: For immediate response, back up all your data of your Windows systems. Then reportedly create read-only kill-switch files “c:\windows\perfc” and “c:\windows\perfc.dat”. And patch your Windows systems, especially with the Eternal Blue exploit patches. Optionally also disable the SMB service. If you run Windows, you need to apply patches as soon as they come out.
Now for the bigger picture: After WannaCry back in May (tentatively blamed on North Korea by U.S. intelligence agencies) , which shares similarities with the current Petya attack, this new attack shows that we are not dealing with one-offs. Interestingly, it also shows that many people and organizations are have not applied the necessary Eternal Blue exploit patches after WannaCry, which is quite negligent. Should organizations be liable for knowingly not applying critical patches?
The attackers appear to have once again majorly hit Ukraine, with government, national bank, and largest power companies being hit there. The unusual frequency Ukraine is being majorly hit by malware attacks begs the question: While the ransomware asks for $300 in bitcoin – suggesting the hackers are purely incentivized by money – it is quite possible that these are covert cyberwar experiments by a nation state. Ukraine could be considered a “safe testbed” for cyberwar experiments due to its relatively small global political and military”, adds Ulrich Lang, CEO of ObjectSecurity.
Edgard Capdevielle, CEO of Nozomi Networks has quite a similar opinion. He says: “The Ukraine continues to be in the cross-hairs of persistent cyber attackers. Whether you believe the Ukraine is a test-bed for nation state aggression (per the WIRED Cover Story yesterday) or an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing. The most recent attack is reported to target IT systems and has not impacted the operational systems and industrial control systems (ICS) that control the power supply there, according to Ukrainian state power distributor, Ukrenergo, however critical infrastructure provides around the globe should re-double their efforts ensure proper separation of their IT and OT networks and be actively monitoring their ICS environments and applying advanced anomaly detection systems so that they can detect and remediate any efforts to disruption operations of ICS within their critical infrastructure.”
Andrea Carcano, Co-Founder and Chief Product Officer of Nozomi Networks says: “If rumors prove true that this attack was initiated by the External Blue Exploit, it is a well-known vulnerability using SMB v1. SMB is a protocols used often in the industrial networks. Therefore security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them. This is the same vulnerability used in by last month’s WannaCry Ransomware bombardment in which hundreds of thousands of computers in critical industries were effected. It demonstrates the urgency for patching, however within ICS environments rapid patching can be difficult or impossible, which means operators must turn to advanced ICS cybersecurity monitoring to analyze the traffic and identify anomalous SMB v1 traffic. Real-time detection enables operators to take immediate steps to remediate the operational impact and ensure critical infrastructure stays up and running.”
Bryan Singer, Director Security Services IOActive thinks: “It would seem we have arrived at the dawn of the ICS (Industrial Control System) attack. For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era, it is now impossible to say "that can't happen to us" any more – this will act as a real wake up call.”
Matt Morris, Vice President of Strategy & Products at NexDefense also commented:
"Our firm focuses on improving production and/or safety, while ensuring cyber resilience. We frequently point out that design issues, misconfigurations, and other human related issues represent the largest risk to production and safety. But lately, cyber risks like Petya are elevating in frequency, impact and risk.
To this point, I couldn’t agree with Bryan (Singer) more. It seems that the day we’ve always known would likely come is finally here. Ransomware like Petya and WannaCry are happening at an ever-increasing clip, and can be debilitating. Others, like Stuxnet and CrashOverride are crossing into the physical realm, with the ability to take down entire power systems or worse.
This also marks the point in time where plausible deniability goes out the window. We have now seen a chain of events building up in frequency, intensity, and consequence. It is all out there for senior officers to see. So, the question is – to what extent will shareholders and other regulatory bodies hold officers responsible for knowing the risk that exists, yet not taking proper steps to protect, detect, and remediate?
Final point - it’s easy to say that industrial companies should be patching (Windows). But the reason operators may not be patching those systems is due to the negative consequences at risk if certain critical systems did not reinitialize properly. Given the threat landscape that is playing out in front of us, there’s simply no excuse for denying investment into detection, prevention and forensics capabilities. Most systems cost an infinitesimal fraction of a single hour of production downtime, or of a human life."