Nearly one year ago, on May 12, 2017, WannaCry ransomware successfully compromised more than 400,000 computers and servers running Microsoft Windows. The cybersecurity attack paralyzed healthcare systems, government agencies, universities and many other industries in more than 150 countries with the total cost of damages estimated at nearly $1 billion.

Several weeks later, Microsoft Windows systems were targeted by the NotPetya ransomware. NotPetya rapidly spread throughout Europe, infecting airline companies, financial institutions and utilities. In just one repercussion, the attack cost Maersk, the world’s largest container ship and supply vessel operator, up to $300 million in damages.

Both attacks had devastating, and perhaps business-ending, ramifications for companies worldwide. However, they also acted as a wake-up call for all organizations about the importance of a robust cybersecurity program. So, what exactly happened? How did companies respond? And how far have we actually come in just one year?

How it happened

NotPetya and WannaCry certainly had their fair share of similarities, but both were very unique in their tactics. Arguably, the threat actors behind NotPetya took detailed notes from the WannaCry attack and were sure to not make the same “mistakes.” A few of the similarities and differences between the two include:

Similarities:

  • Targeted systems running on the Windows operating systems (OS)
  • Took advantage of EternalBlue – the Windows Server Message Block exploit – which was released by the well-known threat actor group, “Shadow Brokers”
  • Victims were ordered to pay a ransom in Bitcoin in order to retrieve access to their data

Differences:

  • NotPetya took advantage of the EternalRomance vulnerability, which enables remote privilege escalation on certain versions of Windows
  • Patching out-of-date operating systems protected organizations targeted by WannaCry. However, NotPetya was still able to penetrate patched systems
  • WannaCry’s motivation was purely financial, and data was recoverable. NotPetya’s intent, however, was wide-scale operational disruption to businesses and government agencies

WannaCry specifically exploited unpatched Windows OS using EternalBlue or DoublePulsar. WannaCry propagated by scanning for new hosts with services listening via TCP/445, which is how Microsoft Filesharing services are provided, a.k.a. Windows File Sharing. Once it discovered a vulnerable system, it utilized the tools leaked by Shadow Brokers to access and encrypt the victims’ data. The infected computer then displayed a pop-up window with instructions for paying an initial $300 ransom and two countdown clocks. The first clock had a three-day deadline before the ransom jumped to $600, and the second clock provided a seven-day deadline before all data was deleted and unrecoverable.

NotPetya, on the other hand, goes beyond encrypting files if the malware gained administrative rights and actually modified the Master Boot Record of the machine – effectively rendering it useless. Additionally, while attempting to infect a machine via Windows File Sharing protocols, NotPetya did not rely solely on a vulnerable system running Windows File Sharing to be successful. If this vector failed, NotPetya was able to move laterally and gain access to other systems on the network. NotPetya differs from previous Petya malware primarily because of its methods of propagation.

Lasting impact

The short-term impact of both attacks was devastating for many organizations. Our team estimated that more than $100,000 was collected in paid ransoms during WannaCry alone, and very few – if any – who paid the threat actors had their data unlocked largely due to a U.K. researcher registering the domain used in WannaCry’s kill switch.

However, the long-term effect of these attacks on industries is still being determined. ZDNet recently reported that the National Health Services (NHS) – one of the most high-profile victims of WannaCry – “is failing to implement the required cybersecurity measures to ensure the organization doesn’t suffer from similar onslaught in the future… because the Department of Health still doesn’t know what financial impact the WannaCry cyberattack had on the NHS.”

Another long-term concern is that organizations will see events like these as “business as usual” and become complacent. And while these types of attacks may continue to rise, organizations should be leveraging both proactive and reactive security processes to ensure they’re less effective and damaging. Of course, we will see a plethora of new “point solutions” on the market claiming to solve issues like WannaCry and NotPetya. However, without a well-trained and dynamic security program and team, which leverages proactive and reactive processes and controls, these solutions will be ineffective in protecting against the next big threat.

Surely, NotPetya and WannaCry served as a much-needed, wake-up-call, not only to companies but regulators and insurers as well. It wouldn’t be surprising to see stricter guidelines for regulated industries, or a stronger call for cyber insurance coming down the pipeline in the next several years.

Compliance regulations are the foundation for everything security programs do – once those basic security measures are in place, organizations can truly start addressing the threats targeting the business. The problem still exists though that the large majority of organizations see compliance requirements equaling security. Nothing is further from the truth. Leaders in the security space should successfully communicate how to address the actual threats facing their organizations with countermeasures that are effective in both cost and threat mitigation. Additionally, although cyber insurance is still in its infancy, having well documented programs in line with industry standards, such as the National Institute of Standards and Technology (NIST), will go a long way to aiding discussions with underwriters. The name of the game is education and speaking in business terms.

Lessons learned

Unpatched software and outdated legacy systems are two of the fundamental reasons NotPetya and WannaCry were so successful. In fact, some of the biggest data breaches within the past five or six years involved vulnerabilities that were left unpatched for more than a year. Often, organizations view updating software as an unnecessary expense – why fix something that isn’t really broken, right? A lack of updates leaves your network vulnerable to a cyberattack. However, the fact that unsupported systems are non-compliant with many auditing standards is what saved a number of major U.S. companies from being affected.

Beyond patching and removing legacy systems from your environment, WannaCry and NotPetya shed a light on the vast amount of organizations around the globe that lack sufficient security programs. Most organizations either overreacted or were too slow in addressing the issue – both responses ended up putting egg on the face of the security leaders. A methodical, business risk-based approach is essential when threats such as these face an organization of any size. Developing countermeasure and dynamic processes for both reactive and proactive measures, as well as conducting trainings and table top exercises prior to an attack are key to success.

There’s no definitive proof that these attacks could have been avoided; threat actors have repeatedly proven their tenacity and creativity when it comes to wreaking havoc. However, the damaging effects could have been significantly reduced. The recent example of Boeing being hit by WannaCry proves just that.

Even though the worst of the storm is over, it doesn’t mean the rain has stopped. Both attacks have the potential to rear their ugly heads once more, and cause even further reputational and financial damage to major companies. It’s not enough to repair the damage or consider yourself lucky if your organization wasn’t among those impacted. Maintaining a strong cybersecurity posture year-round will ensure business-critical data is safe, as well as instill peace-of-mind during the next, inevitable wide-scale data breach.