NotPetya: 2018 in review, part 3

In this series of posts, I’m reviewing some of the key cybersecurity lessons we should take away from 2018. I covered them in a webcast that I did with Microsoft MVP and Windows security expert Randy Franklin Smith. In the previous two posts, I discussed Spectre and Meltdown and that perennial favorite, Adobe Flash. Today, I’ll explore the devastating NotPetya incident and how it should inform any organization’s cybersecurity strategy moving forward.

A (very brief) history of NotPetya

NotPetya has its roots in a family of encrypting ransomware named Petya, which was first seen in 2016. Petya propagates via infected email attachments. Once inside a system, it encrypts the master boot record, rendering the system useless, and demands a ransom in Bitcoin to restore access. In 2017, a new variant of Petya emerged. It was dubbed “NotPetya” (or “Netya” for short) because of important differences from the older variants; in particular, NotPetya propagates via the EternalBlue vulnerability rather than via email attachments. Moreover, even though NotPetya demands a ransom, it cannot actually revert the changes it made and restore access, so it is not so much a ransomware attack as a “destructoware” attack.

Although the big NotPetya attack happened in 2017, I’m including it in this summary of lessons learned in 2018 because it took a while for the cybersecurity community to digest and analyze what happened. As you may recall, ground zero for the attack was Ukraine — it brought down hospitals, power companies, airports, banks, card payment systems and government agencies across the country. But the attack was not limited to Ukraine. In particular, several global corporations were infected, including the pharmaceutical company Merck, FedEx's TNT Express division and shipping giant A.P. Møller-Maersk.

How NotPetya brought a shipping giant to a dead stop

To learn from the NotPetya attack, it’s useful to step through how it unfolded at one particular company. An excellent Wired article from August of 2018, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” recounts in detail what happened at Maersk, and I’ll summarize the key points here.

Maersk’s nightmare had its ultimate root in an innocent request from a finance executive, who asked IT to install an accounting software product called M.E.Doc on a single computer at the company’s Ukraine office. However, unbeknownst to anyone at Maersk, Russian military hackers had broken into the vendor that makes M.E.Doc and embedded their own software into the software installation/update package — giving them a hidden back door into any PC that has M.E.Doc installed. In June of 2017, they used that back door to release NotPetya.

The impact on Merck was both quick and devastating. Within minutes, 17 of its 76 shipping terminals were completely down: The gates weren't opening and cranes were frozen, so literally tens of thousands of trucks were turned away. The recovery effort was massive, involving over 4,000 servers and 45,000 workstations. It required system reinstalls and restores of backups — sometimes IT had to go back seven days to get a backup prior to NotPetya being installed. Even worse, no backups were available for the company’s Active Directory domain controllers. Finally, the team found one domain controller at one little obscure office in Ghana that had been down because of a power blackout since before NotPetya got unleashed. After a comedy of errors that ate up many more precious hours, the hard drive was finally brought to the UK and the IT team could begin bringing core services back online. Still, it was several days before Maersk was able to resume taking orders on its website, more than a week before its shipping terminals started functioning with any degree of normalcy, and two weeks before the company could begin reissuing PCs to most of its staff. Maersk estimated that NotPetya cost it between $250 million and $300 million, though staffers privately suggested the total was actually much higher.

How to defend against ransomware attacks and other security threats

What are the key lessons we should take away from this story? Clearly, the answer is much broader than “invest in good ransomware protection” or “buy the best ransomware removal tools.” There is simply no getting around the fact that you have to be absolutely fastidious about the basics. For starters, back up everything of value regularly and test those backups. In particular, back up Active Directory and store the backups offline. Be sure you can restore everything, from individual attributes of a particular object all the way up to the operating system level across your entire Active Directory forest. Segment your network so that malware cannot easily spread. Stop using Windows 2000 and other outdated software. Be faithful about patching — there were patches available for the EternalBlue vulnerability that could have helped block the spread of NotPetya.

Next, follow Active Directory management and Active Directory security best practices. For instance, establish security policies that restrict endpoints to running only code that has been signed by a trusted vendor. But remember that M.E.Doc was white-listed by many companies. Even if a piece of software is from a trusted software vendor and signed with a valid digital signature, you can’t be certain that it's free of malware.

Therefore, you also need effective Active Directory auditing so you carefully watch the behavior of users and systems. It’s essential to choose a solution that can automate response to threats — it took just 45 seconds for NotPetya to bring down the network of one large Ukrainian bank, and a portion of one major Ukrainian transit hub was fully infected in 16 seconds.


That’s it for NotPetya. In my next post, I’ll explore the Equifax breach, so be sure to watch this blog! In the meantime, take a few minutes to learn about best practices for minimizing the insider threat by checking out our ebook, “Enhancing Active Directory Security & Lateral Movement Detection.

Read the white paper