Lessons learnt from the global NotPetya/ExPetr ransomware attack

Twitter-based information security pundit ‘the gruqp’ recently tweeted the idea that ransomware authors, AKA criminals, are “doing more to advance the state of cyber-security readiness than the last 10 RSA conferences.”

Now, it’s very difficult to measure the effectiveness of a conference from that angle, given the amount of variables and the impossibility of measuring and comparing the cyber-security readiness of attendees companies before and after the conference.

But it’s very difficult to deny that the WannaCry and NotPetya/ExPetr have not advanced the dangers ransomware poses to business and even pushing it further into the boardroom agenda.

It’s been a widely reported that shipping giant A.P. Moller-Maersk was affected by NotPetya so badly that the firm was forced to communicate via Whatsapp, and had seen losses of around $300 million USD.

That alone, should have been a very difficult conversation for the Maersk board of directors.

So what are the universal lessons learnt from the NotPetya ransomware attack?

Having software fully patched with the latest updates from the software manufacturer will go a long way to reduce a networks attack surface. In the case of NotPetya, several samples had been collected of the malware propagating via PDF and Word attachments.

Legitimate methods are being used to gain entry, and as a result are managing to go undetected. ExPetr is shown to have used two Windows tools such as Windows Management Instrumentation Command-line (WMIC) and PsExec.

Credential abuse should be high up on the priority list as malware has started to sniff passwords. ExPetr is said to have used the Mimikatz toolset to obtain user login credentials in plain text. This includes local admin accounts and domain users across networks.

Software updating capabilities are being taken over by malware to help it spread. Microsoft says that ExPetr got into the self-update function of M.E.Doc tax accounting software, this is widely used in the Ukraine and  was also a country that was particularly hit-hard by ExPetr.

A frequently-tested and often used backup and recovery solution for all business systems and data should do most of the leg work in fighting against ransomware and other malware attacks, whether it’s WannaCry, ExPetr or otherwise.