Cyber Security Blog

“Petya, notPetya or Goldeneye – What’s Coming Next?”

Written by Allie Philpin | 7 July 2017

Amar Singh, CEO and founder of Cyber Management hosted an informative Webinar on Petya, nonPetya and Goldeneye including the minefield around whether Petya was ransomware, patching, playbooks and security controls to protect businesses and organisations, and if cyber attacks of this nature are going to increase.

 

Amar was joined by panelists Travis Farral, who is Director of Security Strategy at Anomali, a threat intelligence platform company; Peter Bassill, who is CEO at Hedgehog Security Ltd, a penetration testing and information security company; Steven Ditmore, Senior Engineer at DFLabs, an SOC and CSIRT orchestration and automation company; and Chris Payne, Managing Director at Advanced Cyber Solutions who specialise in information security.

Why Petya?

The Petya attack was initiated via an M.E.Doc update that was issued by Intellect Service. An interesting point it that it was launched the day before a public holiday in the Ukraine, which suggests that this was a planned attack, and there is further evidence that suggests there was more than just one nation behind Petya.

Although it appears that Petya was aimed at just the Ukraine, the fallout from the attack has affected many other countries. Peter Bassill from Hedgehog Security Ltd agreed, stating that the it was effectively propagated around the world, and that the code on the malware was well-written.

Travis Farral at Anomali found interesting that the malware didn’t have the ability to propagate outside Ukraine’s internal companies, but that it spread very quickly through the M.E.Doc accounting package that many business in the Ukraine use; yet this indicates that the attacker was trying to control who was affected.

Kaspersky suggested that Petya was also released via a Ukrainian news outlet, thereby being two sources of the initial infection. In addition, early estimates suggest that up to 60% of infected organisations worldwide were based in the Ukraine, so it was a highly targeted attack.

Amar suggest that if the attackers had attempted to spread the malware worldwide, could it have been more damaging? The panelists agreed. Travis Farral pointing out that the malware had the components to steal credentials and if it had been able to get a foothold, it could have spread rapidly. Peter Bassill added that although it’s hard to say whether the attack was deliberately contained, it did demonstrate weaknesses in supply chains, and the security management of those chains.

So, is it ransomware?

Travis Farral said yes, there is an argument for this as the malware has a robust system for containment, but was it intended to be destructive? Chris Payne believes Petya was well-executed malware but very badly executed ransomware.

What the malware does demonstrate is that coding is becoming increasingly advanced and the development practices by the ‘bad guys’ is getting better and better.

There have been suggestions that Petya is on a par with Stuxnet and Black energy. But is this so? Travis Farral agrees that there are some components that are similar and analysts findings so suggest that it is possible, but not conclusive. However, Peter Bassill disagrees, pointing out that if you take the malware apart and break it down, there is nothing new. It is more of a mish-mash of concepts and ideas from other attacks, all put together.

Amar went on to ask the panelists opinion on the development lifecycle of current malware attacks. Travis Farral points out that Petya is exceedingly well developed and tested, but there are other areas of the malware that appeared rushed, as in being deployed than perhaps wished, which could go some way to explaining why some elements were better than others.

But are cyber attacks becoming an act of war?

Whilst Travis Farral believed that yes, malware attacks on specific nations could be seen as this, he also pointed out that there is the attribution. Steven Ditmore agreed; unless you know where the source is from, it’s hard to decipher where the attack originated from. It was also highlighted by Chris Payne that international diplomacy is at stake, particularly if you start finger-pointing based on cyber attacks when you can’t guarantee where those attacks came from.

“Does patching remain the most important control against ransomware?”

The panelists and the audience were in agreement with 85% of the audience voting ‘yes, it is but don’t forget other controls’.

Peter Bassill added that the average time to release malware following Microsoft Patching Tuesday has reduced massively over the past few years.

notPetya and Wannacry are just the beginning of large scale ransomware/wipeware attacks - yes or no?

The audience was asked the question: “notPetya and Wannacry are just the beginning of large scale ransomware/wipeware attacks – yes or no?”

The overwhelming response was 96% of the audience voting yes!

Chris Payne added that he believes it is the beginning of people waking up to large scale ransomware attacks, but it isn’t new. In 2006 there was a 600% increase in ransomware infections globally, but attacks such as Eternal Blue and Wannacry have raised awareness.

Steven Ditmore pointed out that different methods, different usages of different enhancements of technology will always increase as new devices and networks expand. It opens up new holes and it’s a case of understanding this as malware gets bigger and stronger.

Can we keep blaming the audience?

Amar raised the human element in malware infections. Just over half, 56%, of the audience said that you can’t keep blaming the human, and companies have got to help them in another way. Travis Farral agreed; it only takes one person opening one phishing email that contains a malware like Petya to become infected, rendering the statistic of how many didn’t open the email irrelevant.

To hear more from the panelists on the important of threat intelligence as a part of defense and response mechanisms, should we as a nation should retaliate against cyber attacks – 58% of the audience said yes, if we know who attacked us, then we should retaliate – and whether the Kill Switch still works, view our Webinar in full here, led by Amar Singh and featuring Anomali, Advanced Cyber Solutions, DFLabs and Hedgehog Security Ltd.

NOTE: The crowdsourced document mentioned in the Webinar can be found at http://hubs.ly/H07ZYLG0. There are examples of playbooks that can be downloaded as well as valuable information from contributers.

For more information on Cyber Management Alliance, their GCHQ Certified CIPR training and other courses, webinars, Wisdom of Crowds live and virtual events, and their Insights with Cyber Leaders series of executive interviews, contact us today.