In May, a massive ransomware attack swept through 99 countries, hobbling government offices, universities and an estimated 75,000 businesses in vital sectors like banking, healthcare, energy and travel. At the time, cybercrime experts warned WannaCry might be only the proverbial tip of the spear.
They were right. On Tuesday, another global attack disrupted primarily Russian, Ukrainian and Polish companies, including gargantuan Russian petrochemical company Rosneft, the Chernobyl nuclear power plant and the Ukrainian central bank and state power company. WPP, a British advertising company that ranks among the largest in the world, also was hit, as were Danish shipping giant Maersk and American pharmaceutical company Merck.
Although the ransom the malware demanded was not onerous — averaging the cryptocurrency equivalent of about U.S. $300 per affected computer — the scope of the attack was stunning. So was the software itself. Researchers initially identified the bug as a variant of the Petya ransomware that emerged last year, but Russian cybersecurity firm Kaspersky Lab later said the malware, though similar to Petya in some respects, appears to be something entirely new. They dubbed the virus “NotPetya” and revealed its sphere of disruption to be far larger than initially thought, stretching throughout Europe, the Baltic states and the Americas.
NotPeya seems to have spread through the same Windows holes WannaCry used, revealing how many companies and governments neglected to update their Windows systems, possibly because WannaCry was caught and disarmed so quickly. This time, the bug targeted primarily large, multinational firms and infrastructure providers, both of which categories often find patching systems difficult because they cannot afford to have any components offline.
If financial gain was the goal of the NotPeya attacks, the cybercriminals behind the game were disappointed. By late Tuesday afternoon, the Bitcoin address used to collect ransom payments had received only 3.15 BTC, or roughly U.S. $7,497. Most of those payments can be traced to cybersecurity researchers.
To date, WannaCry has collected about $150,000. By comparison, 2014’s CryptoWall netted its masters U.S. $325 million. In 2015, the worldwide combined ransomware take was an estimated U.S. $24 million.
The hauls may be decreasing, but the risks are escalating. Some researchers suggest both WannaCry and NotPetya represent rehearsals for larger and more sinister events that may loom in the near future.
What can companies do to protect themselves?
Back up everything daily — software systems as well as data. Run routine tests of the backups to ensure they can be restored in the event of a catastrophic loss.
Don’t open email attachments or click suspicious links. Most ransomware attacks employ the “spray-and-pray” system of spamming every address they can find with emails bearing malicious attachments. Often, the carrier email seems legit; perhaps even masquerading as contact from a friend or business associate.
One adult company warned its affiliates about just such a scam on Tuesday, as a matter of fact (links disabled):
[Company] members recently reported having received the following email from payments@[company].com and sales@[company].com:
We have your invoiced ready, on our Invoice Portal.
Click below to view it online:
Invoice 10201532For any questions, get back to me at payments@[company].com
Please note that this email is not being sent from [Company], it is imperative that you do not click on any of the links provided should you receive one.
Our team is working on resolving the issue as quickly as possible.
Patch and block. Apply operating system patches as soon as they are released, and make sure cybersecurity systems and antimalware products are up to date. Don’t rely on protection from any one system alone. Only two antimalware products detected Tuesday’s NotPetya attack. The most effective defense is a combination of both patches and malware blockers.
Disconnect. According to Adam Alessandrini’s Ransomware Hostage Rescue Manual (free PDF here), administrators who suspect their systems have been compromised should disconnect infected components from the network and disable Wi-Fi and Bluetooth to prevent dissemination via those channels.
