This past Saturday marked the third anniversary of the NotPetya ransomware attack, widely regarded as the most costly and most destructive cyber attack in history. Just over a month after the similarly infamous WannaCry ransomware attack, the ransomware caused a global meltdown affecting IT and operational technology (OT) environments across a broad range of industries.
Looking back three years later, it's clear that NotPetya has had a profound influence on the behavior of cyber threat actors and cybersecurity practitioners alike. As I mentioned in my conversation with CybersecAsia last week, it's important to remember that the far-reaching impact of NotPetya would not have been possible if not for the public disclosure of the 'wormable' EternalBlue exploit vulnerability. When combined with a brute-force approach to infecting accessible IP addresses, this vulnerability created the perfect conditions to make NotPetya infamous. Upon further reflection, I wanted take this opportunity to recap my thoughts on NotPetya and highlight there key takeaways from an OT security perspective:
In the aftermath of NotPetya, ransomware is still thriving within internal unmanaged networks that cannot patch or dont have the visibility to identify vulnerable computers. At the same time, however, many organizations have successfully minimized the attack surface of their network, thus making cross-network infection more difficult since there is no service accessible to exploit.
To cope with this adaptation, adversaries have grown increasingly targeted in their ransomware strategies over the past three years. Rather than arbitrarily infecting victims of opportunity through self-propagation, it has become increasingly common for threat actors to follow an advanced persistent threat (APT) approach to ransomware. Under this APT ransomware strategy, a threat actor gains unauthorized access to a targeted network—through vulnerability exploitation, social engineering, or a variety of other means—and subsequently releases the ransomware.
By decoupling the act of gaining initial entry to the victim's network from the subsequent act of ransomware encryption, this new approach can enable cybercriminals to extend the shelf life of an exploitable vulnerability by making it more difficult to trace the ransomware back to an exploited vulnerability. In contrast, the infection vector of a self-propagating ransomware such as NotPetya is relatively easy to track. This targeted approach also allows adversaries to focus on victims they believe are willing and able to meet their ransom demands. Furthermore, this strategic shift can be seen as an adaptation to the efforts of many security practitioners to minimize their network's attack surface following NotPetya, necessitating a more deliberate approach to infection.
While ransomware tactics have shifted away from the likes of NotPetya, WannaCry, and other self-propagating ransomware, security practitioners would be naive to assume we'll never see another widespread ransomware attack of this variety. In all likelihood, it's inevitable that we'll see similar occurrences in the future, but only under the right conditions.
NotPetya's far-reaching impact would not have been possible if the "wormable," NSA-developed EternalBlue exploit vulnerability had not leaked two months prior in April 2017. While it's impossible to predict if and when a similarly ubiquitous vulnerability will be exploited by cybercriminals, security teams can proactively address two major factors that enabled NotPetya to infect such a large number of OT environments:
Poor vulnerability management: Since the patch for EternalBlue had been issued On April 14, 2017, more than two months prior to NotPetya, the entire ordeal could have been prevented if all organizations had applied the patch. Patching vulnerabilities before adversaries have the chance to exploit them at scale is essential for preventing attacks similar to NotPetya in the future, but administering security patches is disruptive and costly—especially in OT environments. As such, in order to manage and patch the vulnerabilities that matter most, security teams must have the visibility needed to identify which security flaws are present within OT assets, as well as the ability to accurately assess the level of risk posed by each vulnerability.
Poor network segmentation: A major contributing factor behind NotPetya's ability to spread like wildfire across organizations' IT and OT environments was a lack of segmentation. Initiatives to ensure your organization's OT assets are segmented properly in alignment with the Purdue Model and other best practices is one of the most effective ways to limit the lateral spread of ransomware and other malicious programs.
NotPetya did not target industrial environments specifically. But due to its self-spreading capabilities and its use of an SMB vulnerability present in many OT environments, it wrought widespread havoc at industrial sites. NotPetya was a wake-up call for many CISOs and a harbinger of a new paradigm where the overlap between IT and OT security threats is more broadly recognized and prioritized.
Having either witnessed or experienced the devastation of NotPetya within infected OT environments, security leaders were left with a newfound appreciation of the ability of IT security threats to spill over into OT environments, as well as the importance of IT-OT segmentation as industrial environments grow increasingly digitized.