With the events that have escalated since last night here, is a quick summary and initial response from Kloud on how organisations can take proactive steps to mitigate the current situation. Please feel free to distribute internally as you see fit.
A new wave of powerful cyber-attack (Petya – as referred to in the blue comments below) hit Europe on Tuesday in a possible reprise of a widespread ransomware assault in May that affected 150 countries. As reported this ransomware demands are targeting the government and key infrastructure systems all over the world.
Those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May 2017 before a British researcher created a ‘kill-switch’. This is a different variant to the old WannaCry ransomware, however this nasty piece of ransomware works very differently from any other known variants due to the following:
- Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. In some cases fully patched systems can also get hit with this exploit;
- Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one;
- Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk; and
- Petya ransomware replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
The priority is to apply emergency patches and ensure you are up to date.
Make sure users across the business do not click on links and attachments from people or email addresses they do not recognise.
How is it spreading?
Like most of the ransomware attacks ‘Petya’ ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.
Petya ransomware is successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)
EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April 2017 data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.
What assets are at risk?
All unpatched computer systems and all users who do not practice safe online behaviour.
What is the impact?
The nature of the attack itself is not new. Ransomware spreads by emails with malicious links or attachments have been increasing in recent years.
This ransomware attack follows a relatively typical formula:
- Locks all the data on a computer system;
- Provides instructions on what to do next, which includes a demand of ransom; (Typically US$300 ransom in bitcoins)
- Demand includes paying ransom in a defined period of time otherwise the demand increases, leading to complete destruction of data; and
- Uses RSA-2048 bit encryption, which makes decryption of data extremely difficult. (next to impossible in most cases)
Typically, these types of attacks do not involve the theft of information, but rather focus on generating cash by preventing critical business operations until the ransom is paid, or the system is rebuilt from unaffected backups.
This attack involving ransomware known as ‘NotPetya’, also referred to as ‘Petya’ or ‘Petwrap’ spreads rapidly, exploiting a weakness in unpatched versions of Microsoft Windows (Windows SMB1 vulnerability).
Immediate Steps if compromised…
Petya ransomware encrypts systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.
“If machine reboots and you see a message to restart, power off immediately! This is the encryption process. If you do not power on, files are fine.” <Use a LiveCD or external machine to recover files>
Steps to mitigate the risk…
We need to act fast. Organisations need to ensure staff are made aware of the risk, reiterating additional precautionary measures, whilst simultaneously ensuring that IT systems are protected including:
- Prioritise patching systems immediately which are performing critical business functions or holding critical data first;
- Immediately patch Windows machines in the environment (post proper testing). The patch for the weakness identified was released in March 2017 as part of MS17-010 / CVE-2017-01;
- Disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers;
- Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line)
- Companies should forward a cyber security alert and communications to their employees (education is the Key) requesting them to be vigilant at this time of heightened risk and reminding them to;
- Not open emails from unknown sources.
- Be wary of unsolicited emails that demand immediate action.
- Not click on links or download email attachments sent from unknown users or which seem suspicious.
- Clearly defined actions for reporting incidents.
- Antivirus vendors have been working to release signatures in order protect systems. Organisations should ensure that all systems are running current AV DAT signatures. Focus should be on maintaining currency;
- Maintain up-to-date backups of files and regularly verify that the backups can be restored. Priority should be on ensuring systems performing critical business functions or holding critical data are verified first;
- Monitor your network, system, media and logs for any malicious software, possible ex-filtration of data, abnormal behaviour or unauthorised network connections;
- Practice safe online behaviour; and
- Report all incidents to your (IT) helpdesk or Security Operations team immediately.
These attacks happen quickly and unexpectedly. You also need to act swiftly to close any vulnerabilities in your systems.
What to if you believe you have been attacked by “Petya” and need assistance?
Under new mandatory breach reporting laws organisations may have obligations to report this breach to the privacy commissioner (section 26WA).
If you or anyone in the business would like to discuss the impact of this attack or other security related matters, we are here to help.
Please do not hesitate to contact us for any assistance.