It’s been three days since the outbreak of NotPetya, and we are beginning to learn more about it. Here are some quick things to know and some steps each company should take to help protect itself.
- NotPetya moves quickly within an infected system, using IT administrator tools (like Windows Management Instrumentation Command-line (WMIC) and PsExec) to avoid detection. Unlike WannaCry, however, NotPetya does not appear to search the Internet for other systems to infect.
- The first wave of the outbreak appears to have come through a software updating system used by Ukranian companies working with the Urkaine government. A second wave of infections came from a phishing campaign.
- While ostensibly acting as ransomware, researchers are questioning whether money is a motivating factor. Experts point to a crude payment mechanism that quickly was shut down, and the fact that NotPeyta’s outbreak centered in the Ukraine. There is some fear that the malware’s encryption is a smokescreen to install undetected new malware capable of delivering payloads, or simply to destroy systems and data.
- While the spread of infections appears to have slowed, the danger of infection remains.
Essential steps to take to try to reduce the risk of having your company’s network infected:
- Update your software. Obsolete versions of Microsoft Windows are especially vulnerable, but it is critical that systems be updated with the latest security patches to cure existing vulnerabilities that malware seeks to exploit. However, NotPetya is able to infect many patched systems if it gains an entry point, so patching alone is not enough.
- Train your employees on cyber risks and appropriate behavior when opening emails or surfing the Internet.
- Improve and implement threat detection capabilities in your company’s system, especially internal anomalous activity detection. Hackers are using IT tools to move within a system to avoid detection by outdated security mechanisms.
- Vendors and service providers are a real and significant risk of malware. Know what cybersecurity measures and data policies are used by your vendors. Ensure that risk is appropriately allocated in your company’s vendor agreements.
- Backup. Backup. Network backup and recovery plans are essential for a company’s ability to bounce back from a massive Petya-like attack. Traditional tape backup is not sufficient. The ability to restore networks, systems and databases, including those in the cloud, is critical. There are specialized technologies that may help to reduce recovery times if your systems are infected.
- Dust off your incident response plan and consider how it works when all systems, email and phones (and potentially the ability to reach decision-makers) are unavailable.
- Bring in a specialized consulting firm to conduct an in depth assessment of your company’s risks in light of new threats – traditional SOC2 or similar assessments may not provide the appropriate information to understand your current threat and recovery status. Consider doing the assessment at the direction of counsel in order to retain privilege if the results show potential non-compliance with regulatory or contractual requirements.
- Obtain cyber insurance. Insurance can defray costs and carriers can offer additional services to help mitigate cyber risks. Make sure the policy language is reviewed for gaps based on your particular business risks, as each cyber insurance policy has different coverages and exclusions. The particular language of the policy may make a significant difference in the coverage you receive when a cyber incident occurs.
- Speak with your cyber counsel and prepare today.