Three years after the NotPetya ransomware outbreak overwhelmed numerous businesses in Ukraine and more than 60 other countries, many enterprises remain as vulnerable as ever to similar attacks.
The lessons that the outbreak highlighted around the importance of network segmentation, patching, and robust backup practices appear to have already been forgotten or remain largely unlearned.
"NotPetya changed the world's perception of destructive cyberattacks and is one of the only cyber activities that is considered to be an act of war," Charles Carmakal, senior vice president and CTO at Mandiant said in an emailed statement. "Despite the broad awareness of NotPetya, the world is still susceptible to the same techniques employed in the attack."
The NotPetya attacks were noteworthy for their sheer destructiveness, the amazing speed at which they spread, and the widespread impact. The US and UK governments and numerous others have formally attributed the campaign to Russia's military intelligence apparatus, and described it as designed to destabilize the Ukrainian government.
In a February 2018 statement, the White House called the NotPetya outbreak the "most destructive and costliest cyber-attack in history" and promised international consequences for it.
The June 27, 2017 attacks were specifically targeted at organizations located in Ukraine or those with close business ties to the country. Eventually it ended up impacting organizations in some 65 countries including the United States, United Kingdom, Denmark, India, and Australia.
The attacks are believed to have caused multiple billions of dollars in damages. Though NotPetya was technically ransomware, it was almost entirely used in the attacks to destroy data and disrupt operations - and far less so to collect ransom payments from impacted organizations.
Victims included Danish shipping company Maersk, which ended up spending more than $300 million on repair and recovery after NotPetya destroyed a staggering 49,000 computers and more than 1,000 applications. Other notable victims included FedEx, pharmaceutical giant Merck, and French firm Saint-Gobain. All of these organizations spent hundreds of millions of dollars to restore data and systems that NotPetya had encrypted beyond repair.
To distribute the malware, the attackers are believed to have first compromised an automatic software update server belonging to MeDoc, the provider of a tax-accounting software product used almost ubiquitously by Ukrainian organizations. They then distributed the malware — disguised as a legitimate security update — to MeDoc users.
NotPetya exploited EternalBlue, a leaked NSA exploit targeting security issues in Microsoft's SMB protocoal in older Windows versions, to move laterally on enterprise networks and to spread from one vulnerable system to the next. Though Microsoft had issued a patch against the exploit, numerous organizations remained unpatched at the time of the NotPetya outbreak. The ransomware also used the publicly available Mimikatz penetration-testing tool to harvest credentials from victim networks in order to spread from system to system.
Amir Preminger, vice president of research at industrial cybersecurity firm Claroty, says three years after the attack, the conditions that allowed NotPetya to spread so quickly and damagingly still persist at many organizations.
Patching, for instance, remains a major concern as many organizations do not quickly do so. A ServiceNow study of 3,000 security professionals found that 60% of breaches in 2019 were tied to a security vulnerability for which a patch was already available. Organizations experienced 30% more downtime in 2019 compared to the year before because of delays in vulnerability patching.
Similarly, network segmentation still remains a work in progress at many organizations, Preminger says. Segmentation offers a way for organizations to isolate or segregate network segments and allows for better access control. With NotPetya, segmentation could have helped impacted organizations contain and limit damage.
Security researchers have long advocated the method as a best practice, yet surprisingly few organizations have implemented it. In a survey that Illumio conducted last year, less than one in five companies (19%) had implemented segmenting because of perceived complexities.
Poor network visibility and insufficient network monitoring are other major concerns. "The foundation of the next NotPetya is still being created, so discovering and patching vulnerabilities before threat actors have the chance to exploit them on a large scale is essential for preventing a similar attack," Preminger says.
Organizations need to know as quickly as possible which devices are vulnerable and, based on their patching capabilities, figure out how they want to prioritize patch deployment, he notes.
The NotPetya attacks were a prime example of an absolute worst-case scenario that can occur due to not applying patches to critical software vulnerabilities, says Alex Guirakhoo, threat research team lead at Digital Shadows. "Much like the WannaCry attacks a month earlier, NotPetya leveraged the infamous EternalBlue vulnerability, affecting many older Windows operating systems: all of which are now no longer officially supported by Microsoft."
As organizations become more reliant on Internet-connected technologies for business and personal use, the attack surface increases accordingly. Managing this attack surface has become even more critical now that COVID-19 has significantly broadened remote working. "It can be difficult for many organizations to find the time to apply patches without impacting business continuity. However, attackers are constantly scanning for vulnerable Internet-connected devices," he says.
According to Mandiant's Carmakal, a general misconception around NotPetya is how much EternalBlue enabled its spread. NotPetya spread so quickly because it used Mimikatz to harvest credentials from the systems it ran on to move laterally. "Stealing credentials from Windows using a tool like Mimikatz is still highly effective today," he said.
To this day, the group behind NotPetya remains one of the most advanced and active cyber threat groups. "They are one of the few groups that have demonstrated their willingness to orchestrate destructive cyberattacks with physical consequences," Carmakal said.