Security experts have spent the last week and half discussing NotPetya, the latest ransomware outbreak to grip the world. Is it not-quite-functional ransomware, or a wiper in disguise? Is it the work of a nation state, or skilled criminals? What of motive?
As researchers painstakingly hash out the answers, the question for those directly tasked with protecting company data is more practical: Should we expect more of the same?
NotPetya and WannaCry, NotPetya’s May predecessor, are different from the crypto-ransomware we’ve become accustomed to in the past couple years. Most ransomware employs social engineering to trick users into clicking on malicious email attachments or links.
But NotPetya and WannaCry didn’t rely on social engineering to propagate. They exploited a vulnerability in Windows SMB, and NotPetya included the added method of accessing login credentials and then spreading through the Windows admin tools PsExec and WMIC.
“They relied on computers being poorly configured, out-of-date, and unpatched,” says Andy Patel, cyber security expert at F-Secure. “And it worked.”
The answer to whether to expect more like this, Andy says, is yes.
“Until companies start following a minimum set of security practices, I would expect that campaigns similar to WannaCry and NotPetya will continue to be successful,” he notes. Those practices include running the latest versions of Windows, installing updates as soon as they’re available, not having users log on with admin rights, and configuring firewall rules.
Both outbreaks were stopped or diminished when researchers found “cures” to beat them. WannaCry was halted en masse when a researcher registered a domain that was in its code, and the creation of a file called “perfc.dat” served as a local inoculation for NotPetya.
“Both of these malware were poorly designed and contained rookie mistakes that allowed them to be shut off using simple mechanisms,” Andy says. “But I wouldn’t expect future outbreaks to be so easily thwarted.”
Andy says these lateral propagation mechanisms, especially the PsExec and WMIC ones employed by NotPetya, will undoubtedly be used by other malware authors.
The bottom line? “Expect to see a lot more worms this year.”