Event Details

The Petya Predicament: Proactively Predicting Problems

Well, it’s official. Ransomware is bad. Anyone surprised? Me either.

WannaCry made headlines, and now Petya builds off of that attack with a different infiltration method (good old email), and the ability to move beyond just file encryption to actually messing with the Master Boot Record and other tweaks. This news cycle includes lots of discussion about types of encryption, file-level vs boot-level attacks, presence or absence of so-called “killwistches” and the attendant need for internet connectivity—but focusing on those details risks missing the point.

Ransomware is bad because it’s working. Until we can make it stop, it will get worse before it gets better. But we can lessen the impact dramatically, if we make a concerted effort. Let’s look at the three major steps to pulling the power out of Petya.

Don’t wait - SIMULATE!

What’s the best way to stay ahead of new attacks? Protect against the old ones. No, it’s not a time travel paradox… Let me give you an example:

SafeBreach customers already know if their security controls are protecting their businesses against Petya. In fact, they knew before the attack was launched. How is that possible? How can we predict the future?

Well, as is often the case, today’s “new” attack is really just a variation of yesterday’s “old news.” Petya uses the same methods as previous attacks, for which SafeBreach already has simulations.

Our customers run these simulated attacks safely within their production environments. They see what’s blocked by, and what gets around, their security controls. Then they change policy, address network and endpoint weaknesses, and then immediately re-run the attacks to validate the effectiveness of their changes. Then when the real attack comes, our customers are ready.

Since most attacks are either outright copies, or slight variations, of older attacks, Breach and Attack Simulation solutions like SafeBreach can help business use their existing controls to stay ahead of attackers.

Be ready with those backups, and processes

When I was on the practitioner side of security, I remember the first time I had to sit through a business continuity meeting. I remember thinking, “If a meteor hits our datacenter on the West Coast, email database is going to be the least of our concerns…”

But I soon realized it wasn’t about prepping for the next ice age. It was about prepping for the smaller disasters. The overheated servers, RAID failures, network outages… and now it’s about ransomware. Keeping backups, and being ready with the processes to restore, or cut over, is more critical than ever, when systems can be rendered unusable in seconds.

Don’t ever pay ransomers

I know, I know. “We don’t negotiate with terrorists” is so cliche as to be gag-inducing. But hear me out. Ransomware is old-school. It’s not like today’s modern, quiet, stealthy breaches that slowly siphon data out, and put it for sale behind the dark curtain. This is your good old loud and proud attack.


These kinds of attacks work because they disrupt business. The inconvenience leads to outage, which leads to money loss, which is, you know, bad. Some companies weigh their options, and decide it’s better to just pay up quietly, and be back in business, than it is to stay offline, and work to get back to where they work.

But if we pay, the attackers know someone WILL pay. They know this disruption works. So they do it again and again. Attackers are smart. They will use the least effort to get the most reward. Ransomware is a simple thing. A locker, a phish, and a bitcoin account. Not sophisticated. Not really new. Just effective—because when we pay we MAKE it effective.

What’s old is new again... again

We had WannaCry, now we have Petya. We had encrypted files, now the attack stops you at the boot level. We had SMB infection, now it’s email-based. But really, this is just the same old ransomware. We need to test ourselves before attackers do the testing for us. We need to take the power out of ransomware with business continuity plans. And we need to stop the cycle of ransomers, by taking the payoff out of the equation.

Let’s all focus on tomorrow, by implementing the lessons of today. (Heavy, man. Heavy.)