Petya Learns its WannaCry Lesson

June 27, 2017, 3:49 p.m.
Michela Menting, Research Director

Share:

The rapid spread of the Petya ransomware is unfortunate yet unsurprising. The WannaCry attack should have been a wake-up call for organizations worldwide of the ease with which malicious actors are profiting from increased connectivity and shoddy cybersecurity. Instead, it provided a valuable case study to cybercriminals about the widespread damage even a mediocre ransomware campaign can inflict. While the components of WannaCry ransomware itself (such as the use of the NSA’s EternalBlue exploit) were sophisticated, the kill switch revealed its Achille’s heel; and one that was inadvertently discovered by security professional MalwareTech relatively early into its global infection.

For Petya, the threat actors learned the lesson. They did a better job avoiding such vulnerabilities in their malware package than organizations did in patching WannaCry. Petya does not use anything particularly new, nor does it look to attack highly secured systems. Instead, it is a multi-layered package, with various components and instructions to work in a variety of situations. It targets exploits and vulnerabilities that should have been already addressed, at the very least since WannaCry.  Microsoft had provided special fixes to tackle EternalBlue in the past few months, including for older, unsupported operating systems (XP, 8, Server 2003). The ransomware spreads laterally using SMB over LAN – and reuses credentials to get into systems that have poor access control (simply because authentication mechanisms are always laxer inside networks). The SMBv1 protocol targeted is over 30 years old and even Microsoft has been warning against its use for some time. The ransomware includes various exploits used in older malware, including Finspy, Dridex, and Loki Bot.  All of these various elements are already known in the security industry, and yet WannaCry revealed how poorly organizations were prepared. And the threat actors know this.

It hasn’t helped either that a South Korean company recently revealed having paid $1 million in ransom this month; nothing like a lucrative payout to attract the unscrupulous. The digital landscape is bone dry in terms of security, and just one small ignition can start a cyber wildfire. This will not be the last of the ransomware attacks. The cybercriminal underground, perpetrators and competitors alike, will watch the current attack unfold and learn new lessons from it; unfortunately, this will form and incentivize the next ransomware iteration, and allow the delivery of a better, more vicious cyberattack. With the increasing digitization of systems and networks, including the connection of operational technologies such as control systems through the internet of things, these attacks will continue, amplified and ever more successful in disrupting cyberspace.