Darktrace’s perspective on the NotPetya attack

Dave Palmer, Director of Technology | Thursday June 29, 2017

The ‘ransomware’ attack sweeping the globe is yet another demonstration of the decreasing usefulness of the traditional cyber defense approaches. Businesses cannot rely on patching vulnerabilities fast enough, and a NotPetya patch would only protect you against yesterday’s attack but will not be able to stop tomorrow’s.

An interesting difference to last month’s WannaCry attack is that it could spread from victim to new victim directly over the internet. Whilst this one can also spread quickly within organizations, Petya (or NotPetya) has not spread across the internet. The good news is that if you haven’t been affected yet, it is unlikely you will be.

At first glance, this might look like conventional ransomware, but it has emerged that the system for paying the criminals and decrypting data doesn’t work. This means that regardless of whether monetization was the original motive or not, it will feel like sabotage from the victims’ perspective.

Questions regarding whether the attack was a targeted one or not are in this case legitimate, as the initial deployment was via poisoning legitimate accountancy software heavily used in Ukraine and Ukrainian city websites. A majority of businesses affected would have been operating in the Ukraine area, or connected to them via their supply chain.

How many more warnings do we need that relying on stopping attacks seen in the past just isn’t enough? The latest advances in AI mean that autonomous technology can now detect and fight back against any in-progress threats within a company network, buying the security teams time to investigate.

In our tests, Darktrace has confirmed the ability to autonomously respond to NotPetya, neutralizing the threat in seconds. Enterprise Immune System technology works because it doesn’t rely on rules or signatures. It takes defensive action before humans have time to react, and is the only realistic way that security teams will scale to the increased speed and diversity of future attacks.

Dave Palmer

Dave is the Chief Product Officer at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over 13 years’ experience at the forefront of government intelligence operations, Dave has worked across UK intelligence agencies GCHQ and MI5, where he was responsible for delivering mission-critical infrastructure services, including replacing and securing entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He acts as an advisor to cyber security start-ups and growth-stage companies from the UK Government’s Cyber Security Accelerator and CyLon. His insights on AI and the future of cyber security are also regularly featured in the UK media. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.