Just 9 Companies Lost $1.8 Billion! There are viruses that have done even more damage but this unique RansomWare variant has been devastating.
It’s worth noting NotPetya may be one of the most destructive pieces of malware ever and we previously broke the news that it could exceed the $4 billion of damage caused by WannaCry! We now comfortably predict the damage is $10 billion dollars or more.
Otherwise known as aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C and originally thought to be RansomWare – because it asks for a ransom, the software actually makes computers unusable by destroying data across a network.
Below is just one example of what damage this destructive did in the wild:
The NotPetya malware infection shut down the pharmaceutical giant Merck’s production of the pediatric vaccine GARDASIL last June, forcing the company to borrow the drug from a stockpile maintained by the U.S. Centers for Disease Control and Prevention to meet demand. The anecdote was contained in a quarterly filing by Merck with the U.S. Securities and Exchange Commission (SEC). That filing also showed that the company continues to suffer financial fallout from the outbreak of the NotPetya malware in June, reducing both sales and revenue for the quarter by hundreds of millions of dollars. In its quarterly 8-k filing, Merck said that revenue for the quarter was "unfavorably impacted" by around $135 million due to "lost sales in certain markets related to the cyber-attack." Sales in the third quarter of 2017 were also reduced by around $240 million, which Merck chalked up to production shutdowns resulting from NotPetya. In a chilling insight into the extent of the disruption the malware caused to Merck's operations, the company disclosed that part of its quarterly losses were linked to the interruption of its production of GARDASIL, a vaccine used to prevent Human Papillomavirus (HPV) which is linked to certain cancers and other diseases. To make up for what it described as "overall higher demand than originally planned," Merck was forced to borrow the vaccine from a stockpile maintained by the U.S. Centers for Disease Control (CDC), the company said.
And we are just getting started according to Security Ledger:
In September, for example, FedEx disclosed that the NotPetya ransomware outbreak in late June cost it an estimated $300 million dollars and forced the company to miss its fiscal first quarter earnings. Worldwide operations of that company’s TNT Express division were “significantly affected during the first quarter by the June 27 NotPetya cyber attack,” the company reported.
Also, in July international snack and candy maker Mondelez of Deerfield, Illinois said that the cyber attacks of June 27 will erase 3% from the company’s second quarter growth. Also, Reckitt Benckiser, a maker of consumer products like Nurofen and Durex condoms said that it expected losses of £110m ($142m), a second quarter sales drop of 2% compared to a year earlier and a 1 percent hit to its expected annual revenue growth.
Another company hit was French Saint-Gobain who took a $230 million loss of sales due to NotPetya. England-based Reckitt Benckiser Group Plc. Lost $129 million in sales as a result of this malware.
Mondelez didn’t specify how much the attack cost so we did the math for you. They earned $5.99 billion in the second quarter and specified there was a 5% drop in sales or $300 million. Maersk said the attack cost them up to $300 million as well.
Nuance apparently got off easy with only a $15 million hit.
Interestingly, Cyence, a firm that helps insurers measure cyber risk, estimated that economic costs from NotPetya would total $850 million.
Just these nine companies alone account for $1.8 billion in damages or more than double their prediction and our models here at Apex Technology Services show the total economic damage at $10 billion.
Perhaps this should be cause for concern because if their estimate of this hack is so low – then what does that say about their study with Lloyd’s of London where they predicted a global attack could cost $53 billion? Imagine if this was also a gross underestimate.
According to CyberReason:
Over the last two decades, there has been an increase in the quantity and specificity in destructive cyber attacks like NotPetya. Unlike other attacks, these campaigns are designed to destroy data and IT assets. And despite the level of damage caused, they weren’t carried out with advanced methods. Instead, attackers rely on relatively unsophisticated but highly effective tools that are easy to code and execute. Take NotPetya. While initial reports classified the program as ransomware, it was later determined that NotPetya’s behavior more closely matched a boot record wiper, which is a very basic technique.
Even though the majority of cyber incidents are still motivated by espionage or criminal activity, the increased use of destructive tools is an alarming and growing trend. The private sector can’t dismiss the security repercussions of this development. The fiscal fallout from destructive attacks like NotPetya has escalated information security to the level of investors, who are increasingly hearing about these incidents during earnings calls.
The Register has a good summary of how this WMD of the software world works, here is an excerpt:
- The malware uses a bunch of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Mimikatz to extract network administrator credentials out of the machine's running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them. It can either scan subnets for devices or, if it's running on a domain controller, use the DHCP service to identify known hosts.
- It also uses a modified version of the NSA's stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency's stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities were patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.
- Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
- One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
- With admin access, the software nasty can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation's hard drive's MBR so that only the malware starts up when the machine reboots, rather than Windows, allowing it to display the ransom note and demand an unlock key; it can also encrypt the NTFS filesystem tables and files on the drive. NotPetya uses AES-128 to scramble people's data.
- Needless to say, don't pay the ransom – there's no way to get the necessary keys to restore your documents. It appears the malware doesn't provide enough information to the extortionists for them to generate a correct unlock key, so it would be impossible to obtain a working decryption key from the crims. And the means to contact the miscreants after paying the money is now shut off, so you're out of luck regardless.
- Not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You'd be surprised how many outfits are too loose with their admin controls.
- The precise affected versions of Windows aren't yet known, but we're told Windows 10's Credentials Guard thwarts NotPetya's password extraction from memory.
- Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did
CEOs and board members must understand the importance of cybersecurity or they could be next. They must act quickly to protect themselves from the next hack which may be targeting their organization. Ransomware was shrugged off by many company execs who paid the ransom thinking this was easier to do than taking security and continuity seriously. Now hoever, the tactics have shifted from extortion via ransom and encryption to ouright deletion and destruction.
Perhaps most important is the move to the cloud is being done irresponsibly by many companies who believe it is the job of the cloud vendor to secure their data. This may be the case when using an application but it cannot be taken as a given. Incorrect configuration of cloud solutions can lead to breaches. In addition, PaaS or platform-as-a-service solutions generally require the user to handle security issues themselves.
Here are some of the areas all organizations looking to promote a cybersecurity culture need to focus on:
1. Cybersecurity training must be done regularly.
2. A Cybersecurity policy or handbook must be deployed in every organization.
3. Auditing and documentation must be performed regularly to ensure systems are secure.
4. Anomaly detection should be running constantly to detect threats as they emerge.
5. Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.
6. Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
7. A business continuity plan must be in place in all companies and government agencies.
8. An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe