NotPetya and WannaCry: Have We Seen the Last?

An F-Secure expert predicts we'll continue to see similar campaigns - here's why.

Author: Melissa Michael
Date: 07.07.2017
Read Time: 2 Minutes

We haven't seen the last of ransomware worms

 

Security experts have spent the last week and half discussing NotPetya, the latest ransomware outbreak to grip the world. Is it not-quite-functional ransomware, or a wiper in disguise? Is it the work of a nation state, or skilled criminals? What of motive?

As researchers painstakingly hash out the answers, the question for those directly tasked with protecting company data is more practical: Should we expect more of the same?

NotPetya and WannaCry, NotPetya’s May predecessor, are different from the crypto-ransomware we’ve become accustomed to in the past couple years. Most ransomware employs social engineering to trick users into clicking on malicious email attachments or links.

But NotPetya and WannaCry didn’t rely on social engineering to propagate. They exploited a vulnerability in Windows SMB, and NotPetya included the added method of accessing login credentials and then spreading through the Windows admin tools PsExec and WMIC.

“They relied on computers being poorly configured, out-of-date, and unpatched,” says Andy Patel, cyber security expert at F-Secure. “And it worked.”

The answer to whether to expect more like this, Andy says, is yes.

“Until companies start following a minimum set of security practices, I would expect that campaigns similar to WannaCry and NotPetya will continue to be successful,” he notes. Those practices include running the latest versions of Windows, installing updates as soon as they’re available, not having users log on with admin rights, and configuring firewall rules.

Both outbreaks were stopped or diminished when researchers found “cures” to beat them. WannaCry was halted en masse when a researcher registered a domain that was in its code, and the creation of a file called “perfc.dat” served as a local inoculation for NotPetya.

“Both of these malware were poorly designed and contained rookie mistakes that allowed them to be shut off using simple mechanisms,” Andy says. “But I wouldn’t expect future outbreaks to be so easily thwarted.”

Andy says these lateral propagation mechanisms, especially the PsExec and WMIC ones employed by NotPetya, will undoubtedly be used by other malware authors.

The bottom line? “Expect to see a lot more worms this year.”

 

 


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s