Ransomware Gone Wrong NotPetya and the story of Maersk
How Ransomware typically works
Phishing eMail Malware installed; files encrypted
Infection spreads across network
In 2017, 45% of US companies hit with a ransomware attack paid the hackers, but only 26% of those had their files unlocked. — SentinelOne, 2018
Glossary of Terms OS: Operating System; like Windows 10 SMB: Server Message Block; Microsoft file sharing protocol MBR: Master Boot Record required for a computer to boot into the OS Logic Bomb: a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. Domain Controller: Microsoft Server that defines and controls the central database for all network resources and users.
June 27, 2017 0500-0600 EDT: Reports begin coming in that systems are down. Maersk is one company that issues a report. 0800-1000 EDT: Various Antivirus companies begin releasing reports of the attack along with details about how it is spreading and recommend preventative measures. 12:00 EDT: Ukraine’s police confirm MeDoc, an accounting software package, as a NotPetya infection vector. The company denies this. 13:00 EDT: Security researchers begin to share ways by which affected users and businesses can counteract the ransomware. 17:00 EDT: Reports that victims who have paid NotPetya ransom are not getting the decryption key.
It took 45 seconds to bring down the network of a large Ukrainian bank.
Meanwhile at Maersk
• Gates in and out of Maersk shipping terminals down • Shipping halted at 17 ports globally • Disruption lasts 7 days
Recovery by the numbers •400 Staff •200 Consultants •10 Days •4,000 Servers •45,000 Computers •$300 Million
Who was responsible for NotPetya? How does NotPetya work?
A Brief History Lesson
“To date, it was simply the fastest-propagating piece of malware we’ve ever seen”
NotPetya Payload • • • • •
Overwrites the Master Boot Record Forces a system reboot and does not boot the OS Encrypts users files and makes them unrecoverable Provides no mechanism to pay the ransom Spreads rapidly
Lessons Learned •Timely Patching •Backup Everything •Segmented Networks •Downtime/Disaster Plan •2 Factor Authentication
Security Update for Microsoft Windows SMB Server (4013389) Published: March 14, 2017 -Critical Security update -MS made patch available for end of life systems (Server 2000; Windows XP)
• Backup the whole network, not just data • Store one Backup off network • Test Restore from Backup periodically • Monitor Backups Daily
Network Segmentation
Business Continuity
Downtime Procedures established to allow the most critical aspects of the business to function.
2FA or MFA: Multi-factor Authentication Something you know: Username and Password Something you have: Physical token (text or pin or app that allows login)
Sources WIRED August 2018 Article Cybereason website
Questions / Discussion