I think the important point that has been discovered is that this NotPetya is not ransomware. Kaspersky Lab states that to decrypt an infected system, the threat actors need the installation ID. However, NotPetya does not have that installation ID (the ‘installation key’ in the ransom note is just a random gibberish), which means that the threat actor could not extract the necessary information needed for decryption. So there is no way to reverse the damage.
SecureList (2017) has determined that the campaign was designed as a wiper pretending to be ransomware. Kaspersky confirm that a modified EternalBlue exploit is used for propagation, CVE-2017-0144. It primarily targeted businesses in Ukraine, Russia and Western Europe, specifically attacking Ukrainian computers, identifying them by seeking evidence of a program that every Ukrainian business needs to run as part of the national tax payment system. I think the following graphic backs this up:
I guess the hackers could be blamed or maybe even the NSA, but come on! After the WannaCry ransomware attack back in May, the systems should have been patch to fix CVE-2017-0144. Is this just another example of a bad/poor risk management process or lack of auditing?
So I will close in saying, an initial attack - blame the bad guys. In subsequent attacks when a patch is available, should the target take some or all the blame for poor IT security processes?
BoingBoing. (2017, June 29). That "ransomware" attack was really a cyberattack on Ukraine. Retrieved from: https://boingboing.net/2017/06/29/pnyetya.html
Kaspersky Lab. (2017, June 28). New Petya / NotPetya / ExPetr ransomware outbreak. Retrieved from: https://blog.kaspersky.com/new-ransomware-epidemics/17314/
SecureList. (2017, June 27). Schroedinger’s Pet(ya). Retrieved from: https://securelist.com/schroedingers-petya/78870/
No comments:
Post a Comment