Petya cyber attackEY response to the global cybersecurity incident

August 2017

What happens

when you are

INFECTED• ►System does not boot up to

Windows but instead shows a monochrome message with the following content: “If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your time, but don’t waste time. Nobody can recover your files without our decryption service.”

Additional Information• ►Petya used hijacked software

updates for an accounting soft-ware as a vector of attack, which points to the attackers favoring a more targeted approach than WannaCry. Phishing emails may also have been used as an attack vector.

• Once on a machine, Petya uses a modified version of Mimikatz to pull credentials from memory and then uses PsExec and WMIC to infect other machines. After a set time, it starts the encryption process.

• Two NSA-stolen SMB exploits (EternalBlue and EternalRo-mance), Windows tools PsExec and WMIC and credentials stolen from victim machines, were the methods used to spread from machine to machine.

• The malware encrypts not only files but also the hard drive’s MBR and MFT, rendering the system unbootable and making attempts to retrieve samples and decrypt files impossible.

• It seems the malware or most of its components need administra-tive rights to run. Organizations should review their Privileged Access policies and ensure they are enforced adequately.

Executive summaryOn 27 June 2017, a global cyber attack campaign called Petya (also being called Petwrap, NotPetya, Petna and GoldenEye) impacted organizations across a wide range of sectors, including financial ser-vices, power and utilities, media, telecom, life sciences, transportation, as well as government agencies. While organizations in countries around the world were affected — including the United States, Netherlands, France, India, Spain and Russia — Ukraine seems to have been the first (and hardest-hit) country by the attack due to the use of an auto-update feature of M.E.Doc software required for tax calculation by any com-pany operating in the Ukraine. The ran-somware successfully infected several of its banks as well as media outlets, energy companies, government agencies, air-ports and radiation monitoring equipment within the Chernobyl power plant.

It is the second major malware campaign after the WannaCry outbreak in May 2017. Although initially characterized as very similar to that attack, this outbreak is notably different, particularly in the way it spreads and encrypts victims’ data.

While WannaCry relied on its worm-like behavior to spread across the Internet, Petya was less virulent, using a hijacked software update as the initial infection vector and lacking the ability to spread across the public Internet from victim to victim. Once inside the network however, Petya is more sophisticated and nefarious than WannaCry. It subsequently leverages sev-eral additional hacking tools to gather cre-dentials from the infected computer’s memory, before spreading to other machines using legitimate and well-known Windows system administration tools such as PsExec and WMIC as well as two leaked NSA tools that rely on SMB exploits. It does this for about an hour before reboot-ing and encrypting the system and/or the files.

Finally, researchers are having moderate success with what they are calling a “vac-

cine” where placing a file in the Windows directory (C:\Windows\perfc) has had moderate success in causing the malware to stop executing.

Initial intelligence suggested this was yet another ransomware attack, however it now being widely reported that the mal-ware used was not actually ransomware but more akin to a wiper malware that per-manently encrypts all data on the infected systems. In fact, the malware appears to be purposefully designed to not include the capabilities to decrypt and recover the encrypted data. This means that even if victims paid the ransom they would not get their data back.

This would also support the theory that this cyber-attack was not motivated by financial gain, but one intent on causing maximum destruction/disruption to tar-geted organizations.

Why is this attack significant?The global scale of this attack confirms fears that WannaCry was not an isolated event and emphasizes the need for all companies to pay attention to security basics such as: reviewing and enforcing privileged access monitoring, keeping sys-tems up-to-date with software patches, making regular backups of data and edu-cating users around security best prac-tices such as not clicking on suspicious links. Additionally, network segregation was an important factor in limiting internal lateral movement.

Further contextThe Petya incident highlights the need for organizations to get the cybersecurity basics right. These include:• First: identify and manage the organiza-

tion’s cyber risks — with a specific focus on the priority cyber threats and breach scenarios that could disrupt operations or have other negative impacts on the organization.

• Second: continually educate the organi-zation’s employees on good cybersecu-rity practices and the use of third-party assessment/assurance programs. Edu-cate users on access rights policies, and enforce those policies via automated security controls.

• Third: maintain awareness of the cyber threat environment to the organization. Cyber criminals and other attackers are constantly evolving their methods to create ever more effective ways of exploiting vulnerabilities for monetary gain or disruption purposes — often this involves interfering with data integrity rather than compromising its confiden-tiality.

• Finally: maintaining and regularly reviewing the cybersecurity program. Doing so will help provide a strong foundation for building cyber resilience into your organization — restrict access rights, patch often, define your cyber incident response process, back up reg-ularly and practice response scenarios, and network segregation.

Adding Information Security considera-tions to vendor software and third party due diligence activities is becoming increasingly important, as highlighted by Petya’s reported use of a hijacked soft-ware patch for an accountancy software as an infection vector.

Remediating the issuePreventive measures to reduce the risk of malwareEY member firms’ range of cybersecurity services, including proactive penetration testing, Cybersecurity and Managed Secu-rity Operations centers, can be leveraged to prevent a malware outbreak within an organization. Through these services, the following activities are recommended:• Ensure vulnerability and patch manage-

ment policies and procedures are up–to-date across the estate and are imple-mented through appropriate change control procedures. Where out-of-date and legacy operating systems are used, seek guidance from vendors on further steps.

• Maintain an effective enterprise incident response and business continuity plan that is tested and measured for effec-tiveness against ransomware and other potential attack methods, as well as updated to reflect the current cyber threat environment.

• Ensure the organization has a secu-rity awareness training program in place with proactive testing, including

screenshots of what to look out for. Clear guidance should be provided on the immediate steps alongside incident reporting guidelines. This should be communicated to all users and third par-ties who connect to the organization’s network.

• Organizations must ensure regular, tested backups are in place to mitigate effects of possible infection and speed the recovery process in lieu of succumb-ing to ransom payment demands.

• Seek assurance from third parties who connect to your network that they are following similar actions to yourself and that they are appropriately protecting themselves.

• Implement endpoint monitoring, giving security operations teams the visibility into malicious behavior occurring in the environment.

• Identify critical systems and data and confirm these are connected to the internet only when necessary.

• Make sure to test the security program with frequent penetration tests across the estate.

• Review how proactive security monitor-ing of the entire environment through EY Managed SOC services could sup-port faster detection and response to incidents.

Business response and forward look If an organization believes it is compro-mised, or is in the process of being com-promised, then the following activities can help to provide a rapid response, damage containment and communications to end users:• Disconnect infected machines from the

network and take all backups offline. These could become encrypted as well if left connected to the network.

• EY member firms can help to:• Forensically analyze network and host

systems to detect early indications of penetration by ransomware to allow more rapid response and remediation.

• Forensically detect, identify and contain ransomware malware based on previous experience with ransom-ware negotiations and ransomware eradication. Forensically circumvent ransomware and/or recover data from damaged systems and/or backups,

and verify that recovered data are clean from ransomware contamina-tion.

• Forensically image and preserve highly sensitive impacted machines to support the systems and data not destroyed by ransomware.

• Collect and preserve IT and busi-ness evidence in a forensically sound manner, and then provide internal or stakeholder investigations and sup-port disputes with customers, service providers and requirements for regu-latory reporting.

• Activate your incident response plan and don’t treat the investigation as merely an IT issue; there should be cross-functional representation in the investigation team, such as legal, com-pliance, information security, business, PR, HR, etc.

• Identify and address vulnerabilities in the environment, sufficiently harden the environment to complicate the attacker’s effort to get back in, enhance the ability to detect and respond to future attacks and prepare for eradica-tion events.

• Activate your business continuity plan. Prepare data based on varying require-ments for regulatory inquiries or civil suits.

Claus Thaudahl HansenPartner

EMEIA Financial Services+45 2529 3639claus.t.hansen@dk.ey.com

Per Leslie JensenDirectorHead of Forensic Technology & Discovery Services Nordics+45 2529 3578per.leslie@dk.ey.comm

Contact information General inquiry — Nordics

P17006dk

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization and/or one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2017 EYGM Limited. All Rights Reserved.

EYG no. 04060-173GBL

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com/nordiccyber

ey.com/cybersecurity

ey.com/ransomware