IBM Security’s Wendi Whitmore Talks About Petya

IBM Security’s Wendi Whitmore Talks About Petya

The NTSC recently chatted with IBM Security’s Wendi Whitmore, Global Lead for IBM X-Force IRIS. A technical leader with 15 years of diverse experience in incident response, proactive and strategic information security services, intelligence, and data breach investigations, Wendi was instrumental in creating IBM X-Force IRIS which includes the global X-Force Incident Response, Proactive Services, and Threat Intelligence practices.

In this Q&A, Whitmore discusses the nature of Petya, its impact, and what CISOs should take away from the cyberattack.

Many cybersecurity experts have had trouble defining Petya. Is it ransomware, or not? Is it even Petya, or a significant variant? From your perspective, what is Petya?

We’re calling it a wiper in ransomware clothing. It’s a variant of the previous Petya ransomware but we’re seeing this variant leveraged to conduct destructive actions toward a victim organization.

Many targets have been multinational organizations, but they all have some tie-in or nexus to Ukraine. The initial victim and attack vector was a tax software called M.E.Doc that’s specific to organizations doing business in the Ukraine.

At first, Petya fascinated us because we and many others in the security community became suspicious about what was happening. First, we saw a small target list—15,000-20,000 systems compromised globally versus the hundreds of thousands of systems we saw most recently with WannaCry. To make money off ransomware, more volume helps, so it didn’t make sense.

Second, we saw that the ransomware directions included on the screen were not accurate in terms of victims actually able to pay using bitcoin to get their data back. None of them were getting the data back. Those were some interesting trends that initially emerged.

What's been the most significant impact so far?

We’ve seen some very large global businesses impacted, which impacted transportation worldwide. For example, the second largest port within the port of Los Angeles shut down for a few days. That certainly had ramifications ranging from simply getting goods in and out of the port to globally impacting the economy. Many transportation-related organizations were affected as a consequence.

Also, a wide variety of organizations were impacted that have different components within the Ukraine. Because this malware was destructive, we saw thousands of systems impacted in such a way that it’s taking the victim organizations a while to get those systems back online. In some cases, they’re having to completely rebuild systems.

Like WannaCry, this malware was focused on Windows systems. But what made Petya really unique was that it wasn’t just leveraging the Windows exploit and hitting unpatched systems, which is what we saw with WannaCry.

This malware leveraged two Windows administrative tools that were valid, and many organizations have them available for administrators to use. Because the malware worked this way, it could spread laterally with valid credentials and then even impact systems that were patched for this vulnerability. In that sense, the malware was a bit more impactful for the organizations that it hit but thankfully the spread hasn’t been as wide as we saw with WannaCry.

What should CISOs know about Petya and the threat of similar future attacks?

We’re continuing to see a convergence of different toolsets, but I think this is the first time we’re seeing such a sophisticated tool disguised as ransomware. That’s interesting, and I would imagine that these types of attacks will become more of a trend. But ultimately, these attacks get us to back to security basics.

  • Make sure your data is backed up and that you have access to it offline. That’s especially important in a case like this when the malware is destructive.
  • Make sure your backups are not always connected to the network or they might become subject to encryption as well.
  • Regularly patch systems. That helped in many cases, although in Petya’s case patching didn’t completely solve the problem.
  • Keep antivirus signatures up to date. Vendors like McAfee and Symantec had put blocks in place within hours of Petya becoming more public, so that was helpful for a lot of organizations.


For real-time updates, visit IBM X-Force Exchange.

If any CISOs have a question or wish to engage with IBM Security, please reach out to info@ntsc.org and we will connect you with our NTSC Advisory Board Member at IBM Security, Ben Hendrick.

Additional Reading