The New Ransomware Threat
“On June 27, 2017 organizations in over 65 countries reported they had been infected with Petya ransomware. Petya ransomware was first discovered in March 2016, and like most malware, it was primarily spread via email phishing attacks. After a user was infected, the ransomware would encrypt data files on the systems and hold them hostage in exchange for a ransom payment. Once the ransom was paid, the attackers would typically (but not always) provide the decryption key so that users could restore their files. This ransomware is still in the wild, and users can still fall victim.
Notably, however, the initial Petya ransomware is very different from the Petya variant that was released in June 2017. This new Petya variant is not truly ransomware. Instead, it’s wiper malware disguised as ransomware. The wiper malware does not hold data hostage in exchange for a ransom; it’s sole purpose is to destroy data and corrupt systems. There have been no new reports of this Petya variant following June 27, 2017, but this and similar types of malware can (and will likely) spread at some point in the future.
While you can’t predict the next attack, you can take steps now to protect your IT resources from similar future attacks. Some of those steps include:
Train users to be suspicious. Don’t open email attachments or click hyperlinks in emails that you’re not expecting. If you don’t know the sender, delete the email immediately. If you do know the sender but the message is unexpected or suspicious, verify via call or text that the email is legitimate. If it’s not legitimate, delete it immediately.
Keep systems patched and up to date. Always apply the latest software patches and make sure antivirus signatures are up to date. In relation to this Petya variant, Microsoft patch MS 17-010 would have largely stopped the malware’s ability to spread using Eternal Blue and Eternal Romance vulnerabilities. Regular patching significantly reduces the attack surface and makes it more difficult for the attacker to get in.
Block specific ports. Block SMB ports (particularly ports 139 and 445) from external hosts to reduce the attack surface. Also Block UDP ports 135, 137, 138 to prevent lateral movement within the network.
Disable PsExec and WMIC. PsExec and WMIC are legitimate administrative tools, but they’re commonly used by attackers in a variety of attack types. In the case of this Petya variant, disabling these tools can help prevent the spread of this malware throughout the environment.
Backup data. Backup critical data on a regular basis, and make sure those backups are available offline. Be sure your backups are not always kept on the network; leaving them connected can expose them to encryption and destruction.
Segregate duties and isolate critical data. Segregate duties between user and administrative accounts, and make sure that no one account (including Domain Admin) can execute commands on all systems on the network. In addition, identify your critical data, and isolate and segment it from the rest of the network.”
Be Secure. Be safe.