When is ransomware not ransomware?

17 August 2017

High-profile and highly disruptive ransomware campaigns have grabbed the headlines in recent months, following the widespread WannaCry and EternalPetya campaigns of May and June respectively. These were of course not isolated incidents and Europol has noted that the incidence of ransomware has soared since 2012, with the total number of users who encountered ransomware between April 2016 and March 2017 rising by 11.4%, compared to the previous 12 months.

However, all was not necessarily what it first seemed to be….

The EternalPetya ransomware campaign – despite its comparisons to the WannaCry outbreak – appears to have been destructive rather than financial in motive. Initially, the campaign appeared to bear similarities to the WannaCry outbreak, which also had worldwide reach. However, EternalPetya is a wiper which is intended to destroy data, which excludes the possibility of remediation from infection even if a ransom were to be paid.

This led to speculation that EternalPetya’s ransomware appearance could have been used as a cover for a more malicious exploit, intended at disruption or destruction, rather than ransom collection. This sentiment was echoed by the UK’s National Cyber Security Centre, which published a bulletin reporting that its researchers “had found evidence that questioned initial judgements that the intention of this malware was to collect a ransom… whether the intent was to disrupt rather than for any financial gain.”

Ransomware and disruption are of course not mutually exclusive – as was seen in the UK during the WannaCry campaign, which had a direct effect across parts of the national public health service for over a week after the initial infection.

However, the EternalPetya outbreak shows that ransomware can also be used as a distraction technique through which to facilitate more destructive or disruptive activity. The companies whose systems were affected by EternalPetya in many instances experienced significant business interruption.

PwC never recommends paying a ransom demand unless there is a threat to life as doing so fuels the ransomware economy, funding the development of additional techniques and campaigns, regardless of whether it appears to be legitimate ransomware or not.

Ransomware is an increasingly prevalent threat, with a rising number of variants designed to target corporate networks. In spite of this, there are many pragmatic steps which organisations can take to reduce the likelihood of incidents, limit their impact when one does occur, and to recover swiftly and effectively. These span several aspects of IT operations and security, and primarily relate to:

  • Robust business continuity planning and exercising and the ability to restore systems rapidly from backups;
  • Crisis and incident response planning and exercising to ensure incidents are managed and resolved swiftly;
  • Strong security hygiene policies and user awareness to prevent ransomware entering your IT environment through both technical controls and vigilant employees; and
  • Rigorous patch and vulnerability management ensuring you make effective use of work already done to address vulnerabilities.

In the coming weeks, PwC’s financial services cyber security team will be publishing some reporting around attack chain and control frameworks to facilitate the understanding of spread mechanisms, as well as helping organisations to assess existing protection mechanisms and apply new controls to reduce the likelihood and impact of such attacks.

Louise Taggart | Threat Intelligence Analyst
Profile | Email | +44 (0)20 7212 1912


More articles by Louise Taggart



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.