The most revealing statistics on the ExPetr attack, which was aimed specifically at the corporate sector. We have already noted more than once that in recent years the attention of cybercriminals has shifted from ordinary users to organizations, and cryptographers are no exception. Blocking access to files necessary for doing business, such as databases, important documents, etc., allows you to claim large amounts and receive ransom more often.
Such attacks pose a particular threat to enterprises with critical infrastructure, since the activity of malware can harm the production process, deprive operators of operational control and lead to the shutdown of processes.
Among the companies attacked by the ExPetr (Petya) malware, we see many industrial enterprises. Among them are electricity, oil and gas, transport, logistics and other companies.
How does the virus affect the IT infrastructure – what are the possible scenarios, from optimistic to Armageddon?
The only optimistic scenario for any cyber attack is to prevent an invasion. If malware infiltrated the corporate network, or, even worse, the industrial network, the consequences could be dire. Loss or data leakage will have very significant consequences for organizations, and if attackers can stop the power plant from operating, this will affect the lives of many people. Examples are already known when, as a result of cyberattacks, production was stopped, cities were deprived of power supply, and even the whole country’s nuclear program was suspended.
What are the patterns / scenarios of this type of virus spread?
In the case of ExPetr, we tracked several malware distribution vectors. For example, users visited hacked and infected sites, where in the background they received a malicious file disguised as a system update. Also, for the spread of infection, a system was used to automatically update some third-party programs – in particular, MEDoc bank reporting software.
According to our data, in 2017 more than 300,000 new malicious samples are detected per day. Unfortunately, means that it is almost impossible to predict exactly how the attackers will try to carry out the attack next time. Therefore, it is so important to comprehensively approach the organization of a cybersecurity system. To protect against penetration, we recommend that you train employees in the basics of cybersecurity specialist (and for employees of industrial facilities – conduct specialized training); install modern and protective solutions on all devices with network access that necessarily include behavioral detection mechanisms; Do not disable critical components of these solutions regularly put all updates; use control and monitoring tools for protective solutions from a single point.
What are the recommended actions if infection does occur?
When infected with encryptors, users can restore data from backups. If this can’t possible, then we should go to the No More Ransom website, this is a joint international initiative of Kaspersky Lab, McAfee, Europol and the Dutch police aimed at combating ransomware Trojans. Over the year the portal’s operation has been decrypted, more than 28 thousand devices infected with malware have been decrypted, and the amount of money saved on the purchase of money amounted to 8 million euros. Now on the website www.nomoreransom.org you can find 54 utilities for decrypting files that successfully struggle with 104 families of ransomware.
What changes in the IT infrastructure can reduce the likelihood of getting infected with this type of virus? And what changes in the IT infrastructure will reduce the severity of the consequences of a possible virus infection?
It is important to understand that modern IT infrastructure does not always suffer from viruses. According to our study, which was attended by more than 350 representatives of industrial organizations around the world, including Russia, industrial enterprises suffered from cyber threats associated with malware (53%), targeted attacks (36%), intentional or unintentional actions of employees (29 %) etc. To prevent or significantly reduce the severity of the consequences, it is important to understand the current threat landscape, to know the possible risks, to assess which methods of protection are most effective, and, of course, to work to raise employee awareness of new cyber threats.
If we talk about protecting the current industrial infrastructure, then we can very tentatively distinguish 6 important steps to cybersecurity:
- An objective assessment of the security of existing systems and identification of current threats
- Documentation of processes and procedures
- Training staff and constantly raising their awareness of cyberthreats and preventive measures
- Network segmentation and network flow management
- Configure built-in security mechanisms for systems
- Continuous monitoring of system activity and condition.