HDM-071117-Ransom.jpg
Business Team Investment Entrepreneur Trading Concept
7 defense lessons learned from the Petya.2017 attack
Latest malware attack reveals important steps healthcare organizations should take now.
0. Petya2017 AdobeStock_28190489.jpeg
Petya.2017 reveals new threats posed by malware
Three major healthcare data security firms—Comae Technologies, Symantec and Tom Walsh Consulting—are among others that have released guidance on the Petya.2017 virus affecting industries across the globe, including the U.S. healthcare system.
1. Petya2017 AdobeStock_63898340.jpeg
computer network security concept - hackers, spam, phishing, virus, malware, spyware and other risks - mind map or word cloud on a digital tablet
1. Understand how each malware strain attacks
Petya.2017 is not designed to make money, according to a comprehensive primer by security experts at Comae Technologies. “The goal of a wiper is to destroy and damage. The goal of a ransomware attack is to make money.” While victims of ransomware may eventually be able to recover their files, a wiper excludes possibility of restoration, Comae Technologies warns. With Petya.2017, a randomly generated key is used to encrypt a disk that can never be decrypted.
2. Petya2017 AdobeStock_63940737.jpeg
Motive - Blue 3D Word Through a Magnifying Glass on White Background.
2. Differentiate attackers’ motives and capabilities
Gavin O’Gorman, a Symantec investigator, looks at the motive behind the attack using two theories—the first implies the attacker or attackers are technically able but not particularly smart. The criminals use a single bitcoin wallet and a single email account for contact, which is not the best way to get payment, according to the firm. “The email account was rapidly suspended by its provider, thus disabling the ability of the attacker to interact with victims,” he notes.
3. Petya2017 AdobeStock_89844985.jpeg
Game changer business or political change concept and disruptive innovation symbol and be an independent thinker with new industry ideas as an individual jet breaking through a group of airplane smoke as a metaphor for defiant leadership.
3. Anticipate the scope of potential disruption
The second theory suggests that the motive could be disruption, particularly against multiple organizations in the Ukraine. Perhaps, O’Gorman says, the attack was never intended to make money, and non-Ukrainian organizations affected may have been unintentional. “There was no attempt to spread across the Internet by attacking random IP addresses,” he adds. “This attack was an ineffective way to make money, but a very effective way to disrupt victims and sow confusion.”
4. Petya2017 AdobeStock_105986730.jpeg
Button red military game panic start turn off on action push down activate ignition power switch electric design element metallic shiny blank led lamp. 3d render isolated
4. Implement ‘kill switches’
To prevent these kinds of attacks, healthcare organizations should be implementing a “kill switch” for the malware on any PC having important files on it, advises Keith Fricke, partner at the Tom Walsh Consulting security practice.
5. Petya2017 AdobeStock_89309568.jpeg
Strategy concept. Two business men playing chess.
5. Move quickly and anticipate attacks
“The biggest trick to know during a rebuild actually starts way before the rebuild,” Fricke adds. At first instance of infection of this Petya variant—or any other future malware attack—organizations need to do several things quickly, which means advanced planning is essential.
6. Petya2017 AdobeStock_101449735.jpeg
6. Contain the spread of infection
One of the most important critical moves is containing the spread of infection by checking the known vectors of attack and address vulnerabilities, checking backup to see where the last successful ones took place, and monitoring any data replication to ensure encrypted files aren’t being backed up, Fricke says.
7. Petya2017 AdobeStock_108616140.jpeg
DATA BACKUP word cloud. Colored pencils and a computer keyboard on the table.
7. Maximize advanced preparation
Lastly, Fricke emphasizes the need for good backup management. “Given that no means of decryption exists, any files not backed up are lost,” he says.