Envista Forensics talks Petya and NotPetyaAugust 02, 2017
Petya and NotPetya: Mixed Motives in Ransomware and Cyber Vandalism
Ransomware attacks are devastating companies around the globe, designed primarily to encrypt files on a victim’s electronic devices and extort money in order to have the files decrypted. At least this is the common scenario, but the motives of hackers can be difficult to ascertain, and with the recent Petya (2016) and NotPetya (2017) attacks, there seems to be little motive beyond wreaking havoc.
First, what are Petya and NotPetya? Without getting overly technical, Petya is an encrypting ransomware first discovered in 2016, designed to extort money from those affected with malicious code. NotPetya, a variant of Petya, was first observed in June of this year when a major cyberattack affected large parts of Europe and the United States.
Now, how are Petya and NotPetya different? Petya’s encrypting malware targeted Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.
While this summer’s NotPetya cyberattack has been sophisticated in terms of deployment and capabilities, the ability of NotPetya to collect funds from those affected quickly disintegrated after its deployment. This quick spreading variant has affected energy companies, power grids, public transportation systems, airports and banks, with the intent being to damage and destroy, not extort funds.
Why is NotPetya so devastating? Petya was a criminal enterprise with a financial motive where an affected person or business could possibly recover by paying the ransom demand for the decryption keys, if they did not have the proper backups and IT infrastructure to repair the damage themselves. NotPetya halts all means of recovery if there are no other recovery methods available outside of paying the ransom. Unfortunately, NotPetya leaves those infected with no means to receive the key necessary to restore affected files.
NotPetya is destructive for the sake of destruction alone. Whatever the motive, for the affected party it makes little difference. Whether the end goal for the aggressor is financial gain or anarchy, ransomware continues to be a serious problem for organizations of all sizes.
What is being done and what can you do? Our cyber experts are on the front lines dealing with the aftermath of these ransomware attacks, assisting breach coaches with investigations and adjusters on how to bring an insured back to pre-loss condition. Anecdotally, these experts agree that ransomware is not just reserved for the Fortune 500 in the room, but accountants, law firms, and small businesses of all kinds. If you think you are not a target, think again, everyone is a target. Here are a few expert tips that Envista’s Cyber team recommends every company should follow:
- Have a good backup of all business critical files, stored off network
- Continue to patch systems with system updates, many of which are being recognized as critical
- Be sure your company's disaster recovery plan includes for cyberattack mitigation
- Evaluate your risk and research cyber insurance policies
- Contact reputable Cyber Forensics experts as soon as you think your systems or data may have been compromised