Ransomware and malware attacks
EY response to recent cybersecurity incidents
On June 27, 2017, a second global cyber attack called Petya (also being called Petwrap, NotPetya, Petna and GoldenEye) impacted organizations across a wide range of sectors, including financial services, power and utilities, media, telecom, life sciences, transportation as well as government agencies.
Cyber attacks, like ransomware aren't new – over the last five years the number of attacks has grown tremendously, usually with financially motivated cyber criminals extorting relatively small amounts of money from victims whose data they are holding hostage. The criminals promise that payment will result in data being released, but this does not always happen.
It is the second major malware campaign after the WannaCry outbreak in May 2017. Although initially characterized as very similar to that attack, Petya is notably different, particularly in the way it spreads and encrypts victims’ data. While WannaCry relied on its worm-like behavior to spread across the Internet, Petya was less virulent, using a hijacked software update as the initial infection vector and lacking the ability to spread across the public Internet from victim to victim.
Initial intelligence suggested this was yet another ransomware attack, however it is now being widely reported that the malware used was not actually ransomware but more akin to a wiper malware that permanently encrypts all data on the infected systems. In fact, the malware appears to be purposefully designed to not include the capabilities to decrypt and recover the encrypted data. This means that even if victims paid the ransom they would not get their data back.
This would also support the theory that this cyber attack was not motivated by financial gain, but one intent on causing maximum destruction/disruption to targeted organizations.
Why is this attack significant?
The global scale and what appears to be indiscriminate targeting of organizations emphasizes the need for all companies to pay attention to security basics:
- Keep systems up-to-date with software patches
- Make regular backups of data
- Educate users not to click suspicious links
Just like WannaCry, the cost of the operational disruption is significant overall, but variable by sector and organization. The actual cost to organizations is not yet known, and will differ for every victim.
The instigators may not receive much in ransom payments at all – currently only around $50,000. The likelihood of identifying the culprits is fairly low and the process of bringing them to justice would be long and costly.
This is likely to be of little consolation to the many organizations that will suffer costs and data loss arising from this cybercriminal activity.
Steps to take now
Both the Petya and WannaCry incidents highlight the need for organizations to get the cybersecurity basics right:
- Identify and manage the organization's cyber risks, with a specific focus on the priority cyber threats and breach scenarios that could disrupt operations or have other negative impacts on the organization.
- Educate the organization’s employees in good cybersecurity practices and the use of third-party assessment/assurance programs.
- Maintain awareness of the cyber threat environment. Cyber criminals and other attackers are constantly evolving their methods to create ever-more effective ways of exploiting vulnerabilities for monetary gain or disruption purposes. Often this involves interfering with data integrity rather than compromising its confidentiality.
- Maintaining and regularly reviewing elements of a cybersecurity program will provide a strong foundation for building cyber resilience into your organization: patch often, define your cyber incident response process, back up regularly and practice response scenarios.
Here are external technical references that provide further guidance:
Preventive measures to reduce the risk of ransomware and malware
EY member firms range of cybersecurity services – including proactive penetration testing, cyber transformation and Managed Security Operations Centers – can be leveraged to prevent a ransomware outbreak within an organization:
- Ensure vulnerability and patch management policies and procedures are up to date and are implemented through appropriate change control procedures. Where out-of-date and legacy operating systems are used, seek guidance from vendors on further steps
- Maintain an effective enterprise incident response and business continuity plan that is tested and measured for effectiveness against ransomware and other potential attack methods, as well as updated to reflect the current cyber threat environment
- Ensure the organization has a security awareness training program in place with proactive testing, including screenshots of what to look out for. Clear guidance should be provided on the immediate steps alongside incident reporting guidelines. This should be communicated to all users and third parties who connect to the organization’s network
- Ensure regular, tested backups are in place to mitigate effects of possible infection and speed the recovery process in lieu of succumbing to ransom payment demands
- Seek assurance from third parties who connect to your network that they are following similar actions to yourself and that they are appropriately protecting themselves
- Implement endpoint monitoring, giving security operations teams the visibility into malicious behavior occurring in the environment
- Identify critical systems and data and confirm these are connected to Internet only when necessary
- Make sure to test the security program with frequent penetration tests across the estate
- Review how proactive security monitoring of the entire environment via a Security Operations Center (SOC) could enable faster detection and response to incidents
Response considerations in the event of an attack
If an organization believes it is compromised, or is in the process of being compromised, then the following activities can help to provide a rapid response, damage containment and communications to end users:
- Disconnect infected machines from the network and take all backups offline. These could become encrypted as well if left connected to the network
- EY member firms can be quickly mobilized to help companies:
- Forensically analyze network and host systems to detect early indications of penetration by ransomware to allow more rapid response and remediation
- Forensically detect, identify and contain ransomware malware based on previous experience with ransomware negotiations and ransomware eradication. Forensically circumvent ransomware and/or recover data from damaged systems and/or backups, and verify that recovered data are clean from ransomware contamination
- Forensically image and preserve highly sensitive impacted machines to help ensure the systems and data are not destroyed by ransomware
- Collect and preserve IT and business evidence in a forensically sound manner, and then deliver internal or stakeholder investigations and support disputes with customers, service providers, and requirements for regulatory reporting
- Activate your incident response plan and don’t treat the investigation as merely an IT issue; there should be cross-functional representation in the investigation team such as: legal, compliance, information security, business, PR, HR, etc.
- Identify and address vulnerabilities in the environment, sufficiently harden the environment to complicate the attacker’s effort to get back in, enhance the ability to detect and respond to future attacks, and prepare for eradication events
- Activate your business continuity plan. Prepare data based on varying requirements for regulatory inquiries or civil suits