facebook linked in twitter

Privacy & Data Security Alert

June 28, 2017

'Petya' Ransomware Attack Cripples Companies Across U.S. and Europe; DHS Issues Warning

On June 27, 2017, at 12:56 PM, the Department of Homeland Security (DHS) posted an alert concerning the cybersecurity hacks that targeted several companies across Europe earlier Tuesday.[1] The alert outlined the facts of the attack, advised companies to refrain from paying the ransoms demanded by malicious software, asked organizations to update their systems, and referred to additional DHS guidance for further cybersecurity review.

The cyber-attack on Tuesday morning infiltrated several global companies, including British advertising agency WPP,  Danish shipping company Maersk, Russian oil and gas company Rosneft, US pharmaceutical company Merk, cookie giant Mondelez (maker of Oreos and Cadbury Eggs), and law firm DLA Piper.[2] One estimate showed that 80 companies across Russia and the Ukraine were compromised. Geographically, the Ukraine appears to be the target of most severe hacks.  While several private companies in the nation were breached, they were joined by Ukraine's central bank, metro system, post office, and the Prime Minister's own offices. Even the Chernobyl nuclear plant has reported hacking problems, revealing that they have transitioned to manual radiation testing until computer system stability can be restored.[3]

The widespread hacks utilized a common invasive ransomware. Ransomware is a kind of malicious software that operates by invading a computer system and locking out the user until they pay a demanded ransom payment of bitcoins, after which the software promises to return computer access. However, after outlining the strategy behind ransomware attacks, the first advice given by the DHS alert is that "individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored."[4] Indeed, aside from relying on the promise of the malicious ransomware, there is no guarantee that paying the requested ransom will restore any system access.

While it is still early, investigators suspect that this case of fast-spreading ransomware is a more advanced variation on the Peyta software that criminals utilized in prior attacks. The software targets weaknesses in Microsoft operating systems' Sever Message Block (SMB) and uses those vulnerabilities to spread. A similar hack occurred in May of this year (the ‘WannaCry’ hack), affecting 230,000 computers in 150 countries before the spread could be halted. Microsoft issued a patch to the SMB insecurity as early as March, but many organizations run their business using "legacy" software, which is essentially older, outdated software that employees are more familiar and comfortable with.[5] Consequently, the DHS alert also advises that "using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware."[6] Alternatively, one of the best ways to bolster system security is to operate with updated operating systems and security firewalls.

The DHS alert then refers readers to Microsoft's March 14th Security Bulletin, which outlines the SMB issue, provides links to the software update, and definitively states that leaving software unpatched creates a "Critical Vulnerability" in every available Microsoft operating system. Additionally, the alert recommends reading a 2016 DHS Article, which provides more background on ransomware and potential safeguards. The article proposes preventative measures including: employing data backups and recovery plans in case of a breach, using whistling applications to prevent malware from running, updating system software, restricting system permissions, and avoiding unsolicited emails/web links. Lastly, the DHS alert asks that ransomware incidents be reported to the Internet Crime Complaint Center.[7]

On a broader level, this breach signals a growing threat in the form ransomware hacking. There have now been two extensive attacks within a month of each other, and ransomware attacks are likely to continue due to the enormous financial incentives for hackers. Even if only a small percentage of locked-out users pay the demanded ransom, these criminal schemes can still be hugely profitable; the FBI estimates that the 2015 Cryptowall ransomware hack accrued $18 million before it was halted.[8] Moreover, while their alert shows that the DHS is aware of the growing ransomware threat, the advice in the notice suggests that companies themselves must be responsible for their own protection. The alert offers guidance and broad recommendations, but there is no promise of a blanket solution to cybersecurity threats and the burden lies with each organization (both public and private) to update and secure their systems.

There are several proactive steps companies and other organizations can take to secure their systems from ransomware assault, including:

  • Immediately evaluating internal information technology and security personnel’s ability to prevent and respond to ransomware attack,
  • Establishing relationships with information security experts and legal specialists that can react quickly to cyber-attack,
  • Updating employee security awareness training to incorporate the risks associated with phishing and social engineering,
  • Identifying threat vectors associated with ransomware attacks,
  • Conducting audits of all technology systems and devices to ensure existing licenses for current software applications are up to date and that patching of known vulnerabilities is occurring on a regular basis,
  • Ensuring systems are routinely monitored for suspicious activity (consider engaging experts to conduct penetration testing and evaluate existing firewall configurations),
  • Updating incident response plans to specifically address ransomware attacks and consider obtaining reserves of bitcoin to quickly pay ransom if absolutely necessary and business judgment requires action contrary to DHS advice.

While no program can provide a 100% guaranty of system security against malicious software, these steps will strengthen company security and response in the event of a ransomware attack.

[1] Multiple Peyta Ransomware Infections Reported, US Department of Homeland Security- CERT (June 27, 2017, 12:57 PM), https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported.
[2] Marilia Brocchetto et al., Another Big Malware Attack Ripples Across the World, CNN Tech, June 28th, 2017, 9:25 AM), http://money.cnn.com/2017/06/27/technology/hacking-petya-europe-ukraine-wpp-rosneft/index.html
[3] Id.
[4] US-CERT, supra.
[5] Brocchetto, supra.
[6] US-CERT, supra.
[7] Id.
[8] Sean Gallagher, FBI says crypto-ransomware has raked in >$18 million for cybercriminals, ARSTechnica (June 25, 2015, 11:25 AM), https://arstechnica.com/security/2015/06/fbi-says-crypto-ransomware-has-raked-in-18-million-for-cybercriminals/