back to article A year after devastating NotPetya outbreak, what have we learnt? Er, not a lot, says BlackBerry bod

Today (27 June) marks the first anniversary since the NotPetya ransomware ravaged a range of businesses from shipping ports and supermarkets to ad agencies and law firms. Once in a system, the code sought to encrypt files and destroyed master boot records, leaving infected Windows machines useless. The malware spread using the …

  1. Doctor Syntax Silver badge

    "outdated systems"

    Where do you draw the system boundaries? A stand-alone PC running a particular version of a particular OS might be out-dated. An expensive piece of kit, of which a similar PC is a component, still performing the function for which it was bought and within its budgeted lifetime is a different matter.

    1. Nick Ryan Silver badge

      And usually a basic firewall/router separating the critical, but non-updateable PC that operates this kit, from the wider network is all that is required. The unpatched system shouldn't be able to affect kit in the wider network and vice-versa.

      Not always possible, of course, but usually is.

  2. Richard Jones 1

    System Boundaries

    As a start point where the machine meets any network or other external boundaries and ensure they do not exist. This clearly includes external devices, portable external drives, thumb drives, etc. I have an old XP machine, actually several but none of them have had a problem since they are not currently turned on and used. Were they to be employed it would only be by me for a controlled reason under defined circumstances, set out by me. (Possibly this would include the extraction of data thought to be held there if not found anywhere else.)

  3. AnonFairBinary

    Patching is the most important thing, and it's really hard.

    Patching is hard... really monstrously hard. It is the single most important *security* activity, and yet is has zero visibility in most organizations. What *patching* means, is being able to update your operational systems weekly, having pre-operational systems that you can deploy to and have confidence that they really will see whatever happens in ops. If half the energy spent on security baubles and consultants' checklists were spent on process and equipment to enable patching, the world would be much better off.

    1. Doctor Syntax Silver badge

      Re: Patching is the most important thing, and it's really hard.

      "Patching is hard... really monstrously hard."

      And harder still if the patch interferes with the operation of the overall system or with regulatory requirements. In the latter case the system which actually needs to be examined and modified if required includes the regulatory process.

  4. Conrad Longmore
    Thumb Down


    It didn't matter if your systems were up-to-date with NotPetya or not. It harvested administrator and local administrator credentials via a custom version of Mimikatz and used those, in *addition* to spreading through ETERNALBLUE / DOUBLEPULSAR etc.

    I suspect that many of the organisations so badly hit had decent patch management regimes, but were weaker on passwords. It was not the same as WannaCry. No, not at all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bollocks

      Basically, Obi Wan walking through your defenses, throwing your stormtroopers off dangerous catwalks that would attract Elf & Safety were they physically visible?

      It was historic

      "There is always a bigger phish."

    2. macjules

      Re: Bollocks

      Quite apt ..

      . Reckitt Benckiser – the firm behind the Dettol and Durex brands – said the attack cost it £100m ($136m)

      Then again, they bounced back ok.

      1. Doctor Syntax Silver badge

        Re: Bollocks

        "said the attack cost it £100m"

        When hacked companies say things like this you have to wonder how much of that was spend putting in place the defences they should have had all along. In other words, some of it's deferred spending and some of it is what that deferring has cost them in the long run.

        1. Cpt Blue Bear

          Re: Bollocks

          "When hacked companies say things like this you have to wonder how much of that was spend putting in place the defences they should have had all along."

          You fail to understand the corporate management mentality. Security is a real and immediate cost which generates no return if it works as planned. Disruption costs are mostly potential and should they become actual, will be covered by insurance. Plus you get to attach your name to the valiant recovery operation thus furthering your career.

    3. Anonymous Coward
      Anonymous Coward

      Re: Bollocks

      I know one of the companies hit was hit because they didn't patch. My understanding about the harvesting of cached credentials was that it depended on a (singular) Windows host being compromised by an alternative method to harvest those creds in the first place.

      As for patching, they got rid of the people managing patching around 6 months prior as it was all being outsourced. Chances of patching being done between getting rid of those people and NotPetya based on the impact to their global operations? Zero... When they went to deploy new machines, they were wiped out almost instantly because (wait for it....) they weren't patched either... They needed to get a reseller to provide new standard builds as their outsourcer was unable to assist....

      1. Doctor Syntax Silver badge

        Re: Bollocks

        "They needed to get a reseller to provide new standard builds as their outsourcer was unable to assist."

        But think of all the bonuses management got because of all the money they saved by outsourcing.

  5. Anonymous Coward
    Anonymous Coward

    "What have we learnt?"

    "Er, not an 'loT'".... <<<FTFY>>>


    Security in general, what we learned? .... "A leading security camera-maker has sent footage from inside a family's home to the wrong person's app"...

  6. Anonymous Coward

    Russia to blame for NSA malware?

    "The malware spread using the US National Security Agency's leaked EternalBlue exploit, which was also abused by WannaCry months earlier .. The effects were devastating. Western intel agencies subsequently blamed Russia for the attack."

    In relate news Russian intelligence agencies were to blame for kidnapping a bear off of Paddington railway station and putting him to work in some gulag making Wellington boots.

  7. EnviableOne Silver badge

    Patch Outdated Systems?

    Wasnt this what started notPetya (or Talos' name Nyetia, which is better)

    if you had not patched MeDoc, then you wouldnt have got Nyetia!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon