How knowing the difference between Petya and NotPetya can help security pros block malware
The infosec lexicon got a new phrase in the wake of the Petya NotPetya attacks: Ransomworm.
Not to to be confused with ransomware, NotPetya is a uniquely disguised and damaging attack on an organization’s information systems and data.
Just as important, the new type of attack is not over and, in fact, is already causing permanent damage.
As such, healthcare security teams need to fully understand NotPetya, what it is, what it can do, lessons learned to date, and what it means for the future of cybersecurity.
What’s a ransomworm anyway?
Petya is straight ransomware. That means it encrypts data and demands payment to unlock it. The recent NotPetya exploit, though, is a new variant of the Petya family of ransomware that has been substantially modified to include worm functionality, explained Rich Curtiss, managing consultant at Clearwater Compliance and a liaison who coordinates cybersecurity vulnerability projects with the NIST’s National Cybersecurity Center of Excellence.
“The worm increases automatic propagation of the malware exploit across local and extended networks,” Curtiss said. “Some researchers have placed this malware exploit in a new category called a ransomworm.”
NotPetya malware implements nearly identical master boot record and file encryption techniques as Petya including a ransomware extortion screen. But the ransom demand appears to be a ruse. Once a hard drive is corrupted, the data is not retrievable because there is no method to pay the ransom. The ransom note is a dead link that indicates the attack was not the work of a cybercriminal organization looking to make a quick buck. This particular exploit was intended to disrupt and damage information resources and networks.
“The addition of the worm functionality allowed the malware to spread or propagate automatically and without human interaction by exploiting software vulnerabilities within the Windows operating system,” Curtiss said. “Microsoft has previously provided updates for the exploited vulnerabilities but many organizations have not updated their software.”
Ransomworm attacks like NotPetya move across networks through third-party affiliates or compromised applications extending the reach well beyond the initial target or industry, Curtiss added.
Many of the recent exploits are not terribly sophisticated but take advantage of a lack of appropriate cyber-hygiene, he said.
Infosec is a patient safety issue
There are already lessons healthcare organizations should learn from the initial NotPetya attacks.
“It is critical that healthcare make the connection between cybersecurity incidents and patient safety,” Curtiss warned.
That is an increasingly common, and important, refrain among hospital security executives of late. At the Privacy & Security Forum in San Francisco during May, in fact, Christiana Care Health System CISO Anahi Santiago specifically said that “information security is a patient safety issue.” And Virta Labs Chief Scientist Kevin Fu added that patient safety should be the top priority, and security an enabler of that.
“While protecting patient health information is important, safeguarding the patient is still job number 1,” Clearwater’s Curtiss agreed. “If a malware attack is successful it has the potential to compromise the ability to use electronic health record technology, force downtime procedures, impact diagnostic equipment, and compel hospitals to reject new patients.”
As NotPetya shows, malware attacks are not going away and, in fact, they are getting more inventive and sophisticated.
“This has created an imperative for healthcare organizations to take proactive measures to identify, prevent, detect, respond and recover from cybersecurity incidents including malware attacks,” Curtiss said.
NotPetya not over, wreaking permanent havoc, more to come
Since the initial attack in June it has become clear that NotPetya left a lasting impression on some entities.
First, Princeton Community Hospital, in West Virginia, was forced to replace infected IT systems. As then FedEx revealed that its customers were experiencing widespread delays and that it may never be able to fully restore all of its infected systems.
What’s more, the function and goal of NotPetya signals coming mayhem for the future of cyberattacks.
“It is clear that we will see continued variation and updates to existing malware threats,” Curtiss said. “It is much easier to modify an existing form of successful malware than creating a new one. Once a malware threat is released into the wild, it is indiscriminate and is only constrained by appropriate cybersecurity safeguards.”
One common thread between ransomware and ransomworms is that some of the same cybersecurity best practices can help safeguard against both.
“It is vital that healthcare organizations master the fundamentals of information security,” he said. “Some of these, as they relate to this particular attack, include: timely patching of operating systems and applications; updating end-of-life operating systems and applications; robust, encrypted and frequent system back-ups; and application of safeguards and countermeasures that go a long way to keeping your organization safe and providing protection from most malware exploits.”