7 data security lessons learned from the Petya.2017 attack

Latest malware attack reveals important steps healthcare organizations should take now.

Three major healthcare data security firms—Comae Technologies, Symantec and Tom Walsh Consulting—are among others that have released guidance on the Petya.2017 virus affecting industries across the globe, including the U.S. healthcare system.

Petya.2017 is not designed to make money, according to a comprehensive primer by security experts at Comae Technologies. “The goal of a wiper is to destroy and damage. The goal of a ransomware attack is to make money.” While victims of ransomware may eventually be able to recover their files, a wiper excludes possibility of restoration, Comae Technologies warns. With Petya.2017, a randomly generated key is used to encrypt a disk that can never be decrypted.

Gavin O’Gorman, a Symantec investigator, looks at the motive behind the attack using two theories—the first implies the attacker or attackers are technically able but not particularly smart. The criminals use a single bitcoin wallet and a single email account for contact, which is not the best way to get payment, according to the firm. “The email account was rapidly suspended by its provider, thus disabling the ability of the attacker to interact with victims,” he notes.

The second theory suggests that the motive could be disruption, particularly against multiple organizations in the Ukraine. Perhaps, O’Gorman says, the attack was never intended to make money, and non-Ukrainian organizations affected may have been unintentional. “There was no attempt to spread across the Internet by attacking random IP addresses,” he adds. “This attack was an ineffective way to make money, but a very effective way to disrupt victims and sow confusion.”

To prevent these kinds of attacks, healthcare organizations should be implementing a “kill switch” for the malware on any PC having important files on it, advises Keith Fricke, partner at the Tom Walsh Consulting security practice.

“The biggest trick to know during a rebuild actually starts way before the rebuild,” Fricke adds. At first instance of infection of this Petya variant—or any other future malware attack—organizations need to do several things quickly, which means advanced planning is essential.

One of the most important critical moves is containing the spread of infection by checking the known vectors of attack and address vulnerabilities, checking backup to see where the last successful ones took place, and monitoring any data replication to ensure encrypted files aren’t being backed up, Fricke says.

Lastly, Fricke emphasizes the need for good backup management. “Given that no means of decryption exists, any files not backed up are lost,” he says.