The Schwartz Report

Blog archive

Massive Petya Ransomware Outbreak Puts Spotlight on Prevention

The massive Petya ransomware attack crippled companies and governments across the globe yesterday, putting many workers on the sidelines, thousands of whom were unable to access business-critical files. The attack is similar to last month's WannaCry ransomware attack, which exploited a flaw in Windows Server Message Block 1 (SMB 1). It affects those who didn't apply Microsoft's critical MS17-010 patch issued in March. WannaCry had a kill switch, but there's no known kill switch for the Petya ransomware (also called "NotPetya" by some researchers).

Its effect was indeed quite extensive. The attack yesterday infected more than 12,500 users in 64 countries across the world including Belgium, Brazil, Germany, Russia and the United States. Microsoft late yesterday posted a detailed account of Petya's technique, which the company described as "sophisticated."

Microsoft said it has since released updates to its signature definition packages shortly after confirming the nature of the malware. The updates are available in Microsoft's free antimalware products, including Windows Defender Antivirus and Microsoft Security Essential, or administrators can download the files manually at the Malware Protection Center, according to Microsoft, which also noted that the new Windows Defender Advanced Threat Protection (Windows Defender ATP), released with the latest Windows 10 update "automatically detects behaviors used by this new ransomware variant without any updates."

Experts said this attack is the latest reminder that organizations need more advanced options to protect organizations from becoming victims of ransomware. A report by ISACA found that 62 percent of those surveyed were attacked by ransomware and only 53 percent have any type of formal approach to mitigate it. Moreover, 31 percent said they routinely test their security controls and 13 percent never test them, according to ISACA's recently released State of Cyber Security report.

Organizations need to build better architectures based on zero-trust segmentation, processes (automation, threat intelligence and patch management) and culture and communication, according to a blog post by Forrester Analyst Jeff Pollard. "The more dependent on digital business your revenue is, the higher the likelihood a cybersecurity issue will cripple you," Pollard said.

With this attack and last month's WannaCry incident, security firms are reiterating the following security best practices and guidelines (while also making a case for their own security wares):

  • Backup and recovery: In conversations and conferences held by companies such as Acronis, CommVault and Veeam, the companies have talked up the fact that merely backing up your data doesn't mean your data will be protected from ransomware. The recent release of Acronis Backup 12.5 includes a new feature called Acronis Active Protection, designed to prevent malware that can find its way into a backup in the first place using behavioral heuristics. "We are making sure the ransomware cannot get into our agent and get into our backups," said Frank Jablonski, VP of global product marketing at Acronis.
  • Manage pivileges: The Petra exploit, similar to other ransomware variants, requires elevated administrator rights to gain access to systems, Morey Haber CTO of BeyondTrust said. Organizations that have lax privilege management tools should remove end user administrator rights, which will ensure that only digitally signed software is trusted. However, that will only stop initial infection, Haber warned. "Once the first machine is compromised, administrator rights are not needed to propagate the worm due to the severity of the vulnerability and methods used for exploitation," he said. 
  • Keep software up to date: In addition to removing administrator rights, Haber said organizations should perform vulnerability assessment and install security patches promptly.

Those individuals that are educated on what to do when receiving a suspicious message is surprisingly low, commented Marty Kamden, of NordicVPN, in an advisory released today. "If you encounter a 'Check Disk' message, quickly power down to avoid having the files encrypted by the ransomware," said Kamden. Also, it's important to know which file to block. "Stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running," he noted. "If such a file doesn't exist yet, create it yourself and make it read-only."

Posted by Jeffrey Schwartz on 06/28/2017 at 2:12 PM


comments powered by Disqus

Subscribe on YouTube