Five years on: How Petya ransomware changed cybersecurity forever

Five years after Petya, Webroot's Nick Emanuel looks at the mechanics of ransomware and how it has changed since Petya's inception, and the practical impacts the malware has had on the cybersecurity industry.


This is a contributed article by Nick Emanuel, Senior Director of Product, Webroot.

A terrible virus, concerns over the Olympic games, the word 'Brexit' on people's lips…does this sound familiar?

While you can see the echoes of what we're experiencing today, the world also was grappling with numerous challenges in 2016. The emergence of the Zika virus was causing alarm after shifting from an emergency to a long-term public health challenge. Construction delays had cast doubts over the Olympic Games in Rio de Janeiro. And a closely fought referendum in the UK started the country's exit from the European Union.

Amidst this turbulent time, a new assailant was emerging in the form of Petya – a devastating ransomware which would impact thousands of companies across the globe. Well-crafted in form, it used social engineering techniques and a clever use of phishing to trick victims into downloading and executing a file. If people were tricked into handing over admin privileges, the user would be forced out of the boot process, before then being 'ransomed' in Bitcoin to decrypt the hard drive.

The parallels between malware and viruses such as Zika, and COVID-19, are commonplace but accurate, as what makes a contagious, biological infection so dangerous can also be applicable to digital viruses. We see new strains of malware every day, but it requires a perfect storm of contagiousness, proximity of hosts, and incubation time, that can lead to one taking over the globe. The key difference, of course, is Petya was designed to make money.

But not even its original creator could have anticipated the eventual impact the virus would have. Five years later, the lessons learned from Petya, and its variants, demonstrate how the malware changed cybersecurity forever.

On the front-line of defence

In 2017, attackers used a supply side attack on a Ukrainian accounting company that infected machines with a new variant of the original Petya malware. The touch paper was lit, and instead of one "patient zero" there were thousands of infected machines.

Dubbed 'NotPetya' by researchers, it was seen as having the greater potential to do harm.

Rather than requiring spam email or human engineering to spread, as Petya did, NotPetya was able to exploit a backdoor and gain admin access, before remotely infecting all machines on the network. There was also no request for Bitcoin. If a machine became infected, it was unlikely to be recovered at all.

NotPetya was believed to be a state-sponsored attack – the original virus had been deliberately enhanced to create the biggest amount of damage possible.

Looking back, it is interesting to re-evaluate our response to this completely unprecedented attack. Being a cybersecurity software vendor, the nature of our business is 24x7, but Webroot's global offices allowed us the luxury of a 'follow the sun' approach, in which threat researchers could continue investigating and protecting against the threat with no downtime.

We took a war room approach in which we monitored attacks, how they were compiled, and analysed what methods were being used to trick people into installing the malicious file. At the time we saw more than 293 million unique instances of new files and classified an average of 736,000 new files per month. Some 93% of those malicious files first seen in this period were witnessed on strictly one personal computer within our user base.

The experience helped us to become more resilient and dynamic, and Petya/NotPetya left a lasting impact on how security teams were perceived at the boardroom table – narrowing the gap between 'IT decisions' and 'business decisions.'

A lasting legacy

A White House assessment at the time estimated $10 billion worth of damages from NotPetya, and it's been described as the "most devastating cyberattack in history."

The cybersecurity industry knew it had to address the problem. What mattered across the sector in 2016 was protecting the disappearing network perimeter, while managing a growth in users working outside of a traditional network.

NotPetya cemented the need for security awareness training which focused on preventing and detecting possible threats in employees' day-to-day interactions with their devices. Prior to 2016, user training was focused only on compliance or delivering specialised information to select security analysts or administrators.

Looking back over the 5 years, I'm proud of how the industry adapted to a paradigm shift in the attack surface and the progress we've made since. Vendors have brought additional tools and services to market to uncover threats more quickly, are sharing more data and information and gearing products to reduce the burden on operators, freeing up time for essential tasks.

We've come to recognise "cyber resilience" and the need to equip users as a key layer of defence. Combined with practicing recovery and a strong back-up routine, these are basic best practices all businesses can get right. The lessons learned from Petya/NotPetya are still pertinent today and they won't be the last, as new threats are constantly emerging. But by taking security and cyber resilience seriously, businesses will be much better prepared to face future challenges.

Nick Emanuel is Senior Director of Product at Webroot. He joined Webroot in August 2015, and is responsible for Webroot’s Business Platform and Services Portfolio. Emanuel has been a PM for over 14 years, and held PM positions in Symantec and MessageLabs, as well as a Development Leadership role managing a building and operating (at the time) the largest BEA/Oracle portal installation in Europe. Before joining the world of cybersecurity, Emanuel ran a trading division for an oil & gas firm, cutting his teeth on edge-thin margins, understanding profit and loss, and the importance of positive cash flow.