Lessons Learned from Petya and WannaCry Ransomware

On May 12th, 2017, the first case of WannaCry ransomware was discovered and within a day, over 230,000 machines were estimated to have been infected in more than 150 countries.  The scale and speed of this attack left the industry stunned, but ransomware is not a new phenomenon.  Ransomware has existed in one form or another for fifteen years, and to date more than 350,000 different ransomware variants have been identified.  There are some fundamental differences in the way that WannaCry and Petya operate that make the spread of this variant more rapid and therefor dangerous than other variants before it.

Before delving further, let’s begin with defining ransomware and describe what makes it different from other forms of malware.

A Brief History of Ransomware

Ransomware is a form of malware that prevents access to system resources, which could range from individual files and extend to the entire infected system. Traditionally, ransomware falls into one of two categories: lockers and crypto ransomware. Lockers constituted some of the earliest forms of ransomware, and either prevented the full use of the infected system, or provided enough annoyance to make using the infected system difficult. By contrast, crypto malware encrypts user content, documents, photograph and other files. Ultimately, the goal of ransomware is directly financial. It requires the user to pay a ransom in order to regain access to their resources and data.

Many early forms of ransomware would masquerade as virus scanners. These variants would present the user with a warning, telling the user that the system was infected, and ask the user to “update their license” in order to eradicate the malware from their system. These forms of malware would use a similar “visual language” off popular virus scanners to trick the user into believing that the malware was a legitimate virus scanner. This technique was short lived as the financial reward required the user to use their credit card to perform the transaction. Once the ransomware was identified, the card service provider would shut down the service, preventing users from sending money and shortening the useful life of the ransomware. As these forms of ransomware were also typically blockers, the user would regain access to their resources once the ransomware was removed from the system.

Modern variants choose to encrypt a system’s individual files rather than prevent access to the system as a whole. As a result, even if the ransomware is removed from the system, the system’s files will remain encrypted. Each infected system is often encrypted with a unique key, making decryption of the affected files difficult or impossible. Finally, these new versions of malware required payment in bitcoin rather than credit card services, which makes transactions anonymous, and eliminates the possibility of tracing the attack back to the source.

What makes ransomware a substantial threat is the financial motive behind it.  While other hacks relied on the hacker finding data and information that was valuable to the hacker, ransomware simply attacks data that is valuable to the target.  The hacker may not personally find value in your family photos, but can still profit as long as the target find value in them.

How does ransomware spread?

Traditionally, ransomware has used a number of “vectors” to perform an initial infection on a PC or system.  Often users are lured into clicking on a phishing email designed to exploit a vulnerability on the system running the email.  From there, it proceeds to encrypt the local system, and spread if possible to other systems.

Prior to WannaCry, the capability to spread to other devices was minimal by comparison.  Some variants would harvest the user’s email database to try and enlist other users that would trust an email from the originating target.  More advanced systems would try and encrypt connected shared network drives, thereby disrupting a larger and potentially more valuable set of data. In either of these scenarios, the footprint of compromised systems would be relatively contained.

What is new with WannaCry and Petya?

On April 14, 2017, a hacker group called ShadowBrokers released details allegedly leaked from the National Security Agency (NSA) regarding a collection of zero-day exploits for windows and other operating systems.  One of these exploits, code named “EternalBlue”, described a method of compromising Windows systems using the protocol “Server Message Block” or SMB.  SMB is a protocol used since the earliest days of Windows networking, and allows systems to share files on a local network.  WannaCry was the first ransomware to utilize this zero-day exploit for the purpose of “lateral spread”, or spreading from one device to another across a local network.

Microsoft released a patch for this exploit on March 14, 2017 for all supported versions of Windows, including Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, as well as Windows Vista (which had only recently ended support). Unfortunately, not all organizations apply patches rapidly.  What is worse, there are countless legacy systems running on older versions of windows (Windows XP, etc) that cannot be easily upgraded, nor can they be easily replaced.  This very issue has been pivotal in previous attacks, as a number of Point of Sales terminals, ATMs, and other industrial systems run exclusively on older versions of Windows.  In most circumstances, this is not problematic, as these devices are not used to directly access the internet and therefore have limited exposure to external threats and can only be accessed by devices within a perimeter of “trusted network devices”.

WannaCry originally targets a user by way of a phishing attack.  If the user’s system becomes compromised, it will then utilize the EternalBlue exploit to spread to other windows systems local to the infected target.  This allows WannaCry to spread to systems that are not required to take any action in order to become infected.  As stated before, the number of older systems that did not have access to this patch and also ran critical systems combined with catastrophic results.  Systems in the UK’s National Health Service, Telephonica in Spain and Deutsche Bahn were some of the corporations paralyzed during this attack.

Again, on June 27, 2017, a new ransomware variant of Petya (frequently referred to as “NotPetya”) was discovered that crippled systems in a number of countries, including Russia, Ukraine, France, United States, France, Germany, and Poland.  It affected organization from the Bank of Ukraine to the Chernobyl Nuclear Reactor monitoring station.  While details are still developing regarding the initial attack vector (initial indicators point at a compromised update server as the initial delivery of the variant), it is known to spread laterally using the EternalBlue exploit used by WannaCry.

Complicating its impact, The email account associated with Petya payments was disabled, which disconnected victims from the ransomware author.  As a result, infected users are left with a permanently disabled device regardless of whether they made a payment, making Petya operate more like a “Wiper” rather than ransomware.  This highlights one of the dangers of ransomware: you can’t count on being able to retrieve your data by paying the ransom.  The only useful strategy incorporates strong defenses for prevention, in combination with a strong backup strategy to restore data should your site become compromised.  Paying ransom may not work, and only serves to strengthen the financial incentive for ransomware authors.

The other concern regarding Petya is that there is strong evidence that this was a state-sponsored attack against the Ukraine, that managed to escape control and impact a much larger footprint than initially anticipated.  This is not the first time targeted malware attacks have escaped to cause far greater collateral damage.  The Stuxnet virus that was initially targeted at Iranian Nuclear enrichment facilities, but was ultimately discovered when it spread outside of its intended target.  State-sponsored malware can often be far more sophisticated, difficult to identify, and destructive than standard malware.  As a result, enterprises that would not normally consider themselves targets of sophisticated attacks must adopt more sophisticated defenses.  Damages are often the same, regardless of whether you are the initial target of victim of cyberattack crossfire.

Traditional Ransomware Strategy

Times were simpler in the initial days of ransomware.  The simplest advice was often the best.  This included:

Create a comprehensive corporate backup strategy.  Assume that ransomware can strike on any of your systems and make sure that, should any data located on any of your systems become unavailable through ransomware, you have a way to recover that data without resorting to ransom payment.  If you have not heard of the 3-2-1 backup strategy, it includes having three copies of your data, two of which are local, but one of them stored off-site.

Keep systems current with updated patches and virus scanners.  Most virus scanners can now identify common ransomware variants, and even this basic countermeasure may prevent catastrophic results.

While both of these pieces of advice are still as relevant and important as they have ever been, WannaCry and Petya have changed the game in a substantial way, and makes how we view a comprehensive ransomware strategy a little differently.

New Approaches to Lateral Spread Ransomware

Systems that were originally considered outside of the reach of external attack have been shown to be vulnerable to these new forms of attack.

As such, consider the following additional strategies to help protect your internal assests from future attacks:

Establish a policy of data segmentation and isolation on your network.  Many organizations that use network drives and network attached storage create one large network share which can be viewed and edited by all. Best practices suggest that the enterprise should segment network shares to only allow each user to view and edit files with which they require access. While this is a good practice from a data loss prevention standpoint, it also helps to minimize the impact that any one infected user can have upon the enterprise as a whole. If the end user is not given access to a file, the malware on that user’s system cannot encrypt it.

This policy should also extend to any kind of access to network resources.  Critical system on a network, specifically ones particularly vulnerable to such attacks (legacy systems using older versions of windows, systems unable to be patches regularly or on an established cadence, etc) should be logically if not physically isolated from all other systems on the network.

Using Existing Security Systems to Prevent Ransomware Spread

For too long, security operations considered the network perimeter to be the ultimate barrier to outside attack.  More recently, with the prevalence of mobile devices, organizations have begun to understand the porous nature of their networks, and how establishing good internal practices are as important as establishing good perimeter defenses.

Instrument your internal network. While establishing intrusion prevention or intrusion detection on the perimeter is commonplace, establishing a good monitoring policy for the internal network is not as common.  At this point, most threat intelligence sources, such as Proofpoint’s Emerging Threats, include rules to identify the type of behavior indicative of the use of the EternalBlue exploit, which in turn would be an early warning of the next generation of malware or ransomware, regardless of the variant.  However, you must instrument your network in the appropriate places in order to detect such activity.

While it may be impractical or costly to instrument your entire internal network to detect such lateral movement of malware, your best practices should include monitoring any systems that are particularly vulnerable, including legacy systems that are complicated to patch, or systems with data critical to the functioning of your business.

Ensure your endpoints are adequately guarded for signature-less malware. The threat landscape has changed, and it has become trivial for a malware author to defeat most static virus scanning.  Your endpoints should be instrumented to detect malicious objects, with or without a known signature.  There are a number of solutions on the market today, including products by Cylance, that are capable of identifying malware by behavior and not rely upon a signature which may or may not exist for that particular variant.  Unfortunately, in cases where legacy systems are in production, it may not be possible to run such detection directly upon the system you wish to protect.  In such circumstances, it is necessary to instrument your network with a system that can “carve files”, (I.E. observe files being transferred across the network), and test them independently if it is not possible to test them directly upon the target.

Instrument your network to identify anomalies. The previous two examples are good practices for the use cases we already know of, including WannaCry and Petya.  Attacks continue to evolve, and new exploits are regularly introduced into the industry.  The only way to protect yourself from the unknown is to make it known.  To do that, it is important to baseline what is normal for your network while it is in a steady-state and not try and guess what is normal during the next attack.  Instrumenting your network with a system that allows you to determine what is normal is key to identifying when things become abnormal.  Make sure that any strategy includes a solution that allows you to identify when you see abnormal user behavior, atypical network activity, etc.


The prevalence of ransomware is growing rapidly, and the sophistication of ransomware attacks makes it difficult to mitigate.  However, combining best practices regarding data backup, and resource isolation, in combination with a monitoring solution that provides early warning for future generations of attack can help to prevent the next ransomware outbreak from including your organization as part of the greater impact statistic.