While Petya, or NotPetya, doesn't constitute a cyber attack, it demonstrates an utter lack of cyber defence. The vulnerabilities and techniques have been known for a long time, but never acted upon. Most organisations focus on defending against auditors, not attackers. So says Saumil Shah, CEO of Net-Square Solutions, speaking of the large scale ransomware attacks against some of Europe's largest brands and government bodies, including Ukraine’s largest airport, state power distributor and national bank, as well as British multinational advertising and public relations company WPP and pharmaceutical giant Merck. The duck test The ransomware, dubbed by experts as Petya, NotPetya, GoldenEye, ExPetr, and PetrWrap, has been analysed by Forcepoint Security Labs researchers, who say the samples have passed the ‘duck test’ based on the premise that if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. Forcepoint says the samples, such as as the historic Petya - a family of encrypting ransomware that was first discovered in 2016 - have been seen to encrypt files on disk without changing the file extension; forcibly reboot the machine upon infection; encrypt the Master Boot Record on affected machines; present a fake CHKDSK screen as a cover for the encryption process; and present a near identical ransom demand screen after completing its activities. “While the delivery and lateral movement mechanisms in this case are highly unusual, it seems plausible that the underlying ransomware code is a Petya variant attached to a novel propagation method,” says Forcepoint. An evolutionary step forward Cyxtera's chief cybersecurity officer, Chris Day, says: “This malware only has passing resemblance to Petya and thus should not be considered the same. This is much more sophisticated than both Petya and the recent Wannacry, and is using multiple propagation vectors, including emails with PDF and Word attachments, the same EternalBlue exploit used by Wannacry, as well as harvesting of credentials via a custom capability against the lsass process and subsequent use of WMIC to move laterally.” Day adds that even machines patched against the EternalBlue exploit are still vulnerable if a user clicks on the email vector. This malware is nastier than WannaCry because it can continue to propagate even in fully patched environments. Uri Rivner, VP Cyber Strategy at Biocatch, says the new ransomware attack is an evolutionary step forward - not a complete revolution. “In a similar manner to Wannacry, the attackers developed a grand scheme in which employee computers - probably not targeted specifically via spear phishing but rather randomly infected - were used as the entry point for a violent outbreak of the malware inside their corporate network, with the ultimate goal of spreading to as many PCs as possible and generating a significant ransom situation.” A reactive approach “The bottom line,” says Rivner, “Is that in the last 10 years, the state of PC vulnerability has not dramatically changed. PCs are still widely exposed to malware, employees still bring malware into the corporate network, patching is still a cumbersome process that leaves some chinks in everyone's armour, and while the Cyber industry itself evolved considerably with many new technologies now available to the market, there are still plenty of chinks in the armour - and this is just another reminder.” According to Shah, Petya's success is because defence still follows the "reactive security" approach, or security by compliance. He explains that strategies are not reused in new threat campaigns, nor are the tactics themselves, or even the way the attacks are monetised. He says they are constantly being adapted, so reactive technologies cannot hope to work in the long-term. “Attacks succeed because today's defences are reactive.” In addition, Shah says Petya demonstrates an utter failure of security by threat intelligence feeds, security by machine learning and security by AI anti-virus.

“None of the billion dollar infosec unicorns have detected the malware before it made its way through a large part of the cyber population. The world today is looking for instant gratification, patches, hot fixes, kill switches, and suchlike. Unfortunately, we are simply treating symptoms here, not the root cause.” To pay, or not to pay Forcepoint strongly recommends not paying the ransom. “There is no longer a mechanism to give the victim the decryption key for paying the ransom as the email address to communicate with the attacker has been deactivated. The payment mechanism is very weak and is linked to just a single email address, which is no longer accessible. Even if a victim were to pay the ransom into the appropriate bitcoin wallet the attacker now has no means to share the decryption key.” Because the bitcoin account that was set up for ransom payments has already been taken down, there is no way for victims to get decryption keys even if they want to pay the ransom, says Day. “This hints at motive, in the sense there was  possibly never any real intention of collecting significant ransom or of providing a decryption pathway.”