Rapid cyberattacks like Petya and WannaCrypt have reset our expectations on the speed and scope of damage that a cyberattack can inflict. The Microsoft Enterprise Cybersecurity Group Detection and Response team worked extensively to help customers respond to and recover from these kinds of attacks. In 2017, among the global enterprise customers that we worked with, these rapid cyberattacks took down most or all IT systems in just about one hour, resulting in $200M – 300M USD of damage at several customers. 
Attackers assembled several existing techniques into a new form of attack that was both:
- Fast – Took about an hour to spread throughout the enterprise
- Disruptive – Created very significant business disruption at global enterprises
What is a rapid cyberattack?
Rapid cyberattacks are fast, automated, and disruptive—setting them apart from the targeted data theft attacks and various commodity attacks, including commodity ransomware, that security programs typically encounter:
Figure 1: Characteristics of rapid cyberattacks
- Rapid and Automated – Much like the worms of decades past (remember Nimda? SQL Slammer?), these attacks happen very rapidly because self-propagation is fully automated once the malware is launched.
- Disruptive – Rapid cyberattacks are designed to be disruptive to business and IT operations by encrypting data and rebooting systems.
What are the technical and business impacts of a rapid cyberattack?
From a technical perspective, this represents the near-worst case technical risk, and resulting business risk, from a cybersecurity attack. While many of us in cybersecurity have grown accustomed to and jaded with sales presentations describing “doomsday scenario” tactics, these attacks indisputably represent real world cases of mass business impact on organizations.
For many of the Petya victims, most or all their computers were taken down in about one hour (~62,000 servers and workstations in a global network, in one case). In these customer environments where our incident response teams were engaged, many critical business operations came to a full stop while the IT team recovered systems.
From a business perspective, some organizations suffered losses in the range $200M – 300M USD and had to change the operating results they reported to shareholders. Note that the actual level of business impact can vary by industry, organization size, existing risk management controls, and other factors. However, it’s clear that the monetary and resource impacts from rapid attacks can be significant.
What makes rapid cyberattacks different from other attacks?
Petya differed from several accepted attack norms, taking many defenders by surprise. Here are four of the ways it did so:
Figure 2: What made Petya different
- Supply chain – One of the more unusual aspects of the Petya attack is that it used a supply chain attack to enter target environments instead of phishing or browsing, which are vastly more prevalent methods used by threat actors for most attacks. While we are seeing an emerging trend of supply chain attacks, particularly in IT supply chain components like the MEDoc application, it is still a small minority of attack volume vs. the usual phishing/browsing attack methods.
- Multi-technique – While Petya wasn’t the first malware to automate propagation or use multiple propagation techniques, its implementation was an extremely effective combination of exploiting a powerful software vulnerability and using impersonation techniques.
- Fast – The propagation speed of Petya cannot be understated. Prior to AV signatures being available, it left very little time for defenders to react (detect + manually respond or detect + write automatic response rules), leaving defenders completely reliant on preventive controls under Protect function in the NIST cybersecurity framework and recovery processes.
- Destructive – Petya rebooted the system and encrypted the master file table (MFT) of the filesystem. This made it more difficult to recover individual machines, but also spared many enterprises an even worse impact because it didn’t encrypt storage which wasn’t accessible after this reboot (e.g. Petya’s boot code didn’t have SAN drivers and couldn’t reach that storage).
To learn more about rapid cyber attacks and how to protect against them, watch the on-demand webinar: Protect Against Rapid Cyberattacks (Petya [aka NotPetya], WannaCrypt, and similar).
Look out for the next blog post of a 3-part series to learn how Petya works and key takeaways.