How to Make Notpetya Not Your Problem

4 critical steps organizations must take for ransomware defense

by Noa Arias, Director of Marketing, Semperis

The NotPetya attack took the world by storm when a compromised update of M.E.Doc financial software spread the virus across major corporations in Europe, encrypting files and demanding bitcoins in exchange for file decryption. Upon further investigation, impacted companies learned there was no way to decrypt infected files and spent days and, in some cases, weeks trying to repair the damage. The real shocker? The astronomical costs associated with virus-related downtime. As each impacted organization reported its quarterly results, it became evident that the total monetary impact of the NotPetya virus was more than a billion dollars.

While NotPetya ransomware authors may have asked for 100 bitcoins (or $250K in regular currency) in exchange for decrypting victim’s files, the actual cost of the attack was exponentially greater. The virus hit industry giants Maersk, FedEx, Mondelez, Reckitt-Benckiser, and Merck hardest, halting operations and leading to a combined estimated loss of over $1.2B dollars. In addition to financial losses, both Mondelez and Reckitt-Benckiser said goodbye to a few C-level executives post-attack.

Preventing Ransomware Attacks
Ransomware attacks on enterprises are escalating both in frequency and complexity. As seen in the Petya/NotPetya attack, cyberattackers are employing more sophisticated methods of attack, spreading malware through the enterprise software (i.e. accounting software) to maximize reach and impact. Subsequently, the total average cost of cybercrime is increasing at a rate of 23% annually, mostly due to information loss and business disruption.

Enterprises that employ identity and access management (IAM) technology are able to save, on average, roughly $2.4MM in cybercrime costs. Therefore, in order to protect against ransomware attacks and the associated costs, organizations need to put into place systems and processes to protect their enterprise identity. This includes:

1. Solid Patch Deployment Processes: NotPetya was able to infect victims through a Windows SMBv1 vulnerability dubbed “EternalBlue”. Microsoft had released a security update, MS17-010, to resolve the SMBv1 vulnerability just three months prior to the Petya attack which, had it been deployed, would have prevented the spread of the virus for the companies that were attacked.
2. Employee Education: According to the Verizon Data Breach Investigation Report, more than half of all malware attacks are caused by malicious email attachments, so training employees to recognize and report any suspicious email activity is crucial in preventing malware attacks.
3. Proactive Monitoring: Real-time auditing of your IT environment will alert you to suspicious behavior and help you detect potential threats prior to a full-blown ransomware attack.
4. Disaster Recovery: Implementing a robust Disaster Recovery plan is the last, but most critical, step in protecting against ransomware. If you have a strong backup and recovery solution in place and are hit by a ransomware attack, you can simply restore your encrypted files from backup.

Last, but not least, if you are ever hit by a ransomware attack, never ever pay the ransom because there’s no guarantee that the attacker will unencrypt the files. Reports indicate that NotPetya was actually wiper malware, and not ransomware, and no amount of money could have reversed the damage caused by the virus.

About the Author

Noa Arias is Director of Marketing at Semperis, an enterprise identity protection company that enables organizations to quickly recover from changes and disasters that compromise Active Directory. Prior to joining Semperis, Noa held senior marketing roles spanning technology startups, consumer goods, and financial services. She received her BA from Columbia University and MBA from NYU’s Stern School of Business, with concentrations in marketing and strategy. Noa can be reached online at [email protected], or on Twitter @SemperisTech, and at the company website https://www.semperis.com.