The global reach and considerable impact of the current Petya ransomware outbreak bears remarkable similarity to the WannaCry attack of just a few weeks ago. This outbreak should serve as another wake-up call for organizations and governments around the world. This guest blog from our partners at Mimecast tells us how to mitigate the risks that these attacks pose, and how to avoid getting caught in the attacks in the future.
There have already been reports of Petya being distributed via email (using the source email of firstname.lastname@example.org and includes the attachment Order-20062017.doc). However, examples have also revealed that the Petya ransomware is also spreading over local networks and the internet by abusing the Server Message Block (SMB) protocol weaknesses that reached notoriety with the recent WannaCry attack.
As many of you already know, a comprehensive “defense-in-depth” strategy is the best approach for the mitigation of current and future threats of ransomware and for many other types of attack.
Every organization must ensure its IT systems are regularly updated. Microsoft security updates are released on the second Tuesday of each month (Patch Tuesday).
Microsoft released a security update back in March which addresses the vulnerability that Wannacry exploited and that Petya also appears to exploit. For those organizations who have not yet applied the security update, you should immediately deploy Microsoft Security Bulletin MS17-010.
If you are using a legacy, now unsupported version of Windows, you should consider upgrading immediately. However, if this is impossible in the short term, Microsoft has taken the unusual measure of releasing a security patch that can buy you time to upgrade your operating system.
Good security practice dictates removing or disabling unnecessary network services to reduce the potential attack surface. Since Petya has spread quickly by abusing vulnerabilities in the Server Message Block network protocol this should be an area of immediate focus. Unless you have a very good reason not to, disable the SMBv1 protocol on your network, while also ensuring needed SMB services cannot be directly accessed from the internet. Also, disable or block other legacy protocols on your network that you are not using. Leaving them available leaves them available for malicious actors to leverage.
URL Protect – configure a policy in line with our best practice guide in Mimecaster Central. Ensure a policy is applied to all users. Rewriting all URLs in inbound emails to scan for unsafe content at time-of-click is the best approach to preventing inbound URL-based phishing attacks.
Attachment Protect – configure the “Safe Files” option for all users to ensure all inbound Microsoft Office files are converted to a safe and thus benign format. Since it has been reported that the Petya ransomware has been delivered via phishing emails pretending to provide a resume which is, in fact, a malicious dropper, automating your defenses against malicious attachments is critical.
For users who require access to editable documents, ensure Attachment Protect’s on-demand sandboxing is configured.
Internal Email Protect – this service provides protection for emails with URLs and attachments in both outbound emails and also those sent internally from another internal address. To the extent that attackers use email to spread their attack internally, this service can help to defend against that. Ensure policies are applied to all users and ensure remediation capabilities are enabled to get rid of malicious emails from both senders and receivers.
DNS authentication capabilities such as DKIM and SPF can also help stop attackers from spoofing or hijacking the email domains of trusted senders, thus effectively taking away one method attackers use to fool their intended victims. DMARC also adds an extra layer of spoofing defense.
Data backups and business continuity
Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks, and as this attack highlights, there are many ways for an infection to enter and spread throughout an organization.
It’s vital that your organization regularly backup critical data and ensure that ransomware cannot spread to backup systems. Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your back-up window is long enough to go back before any infection began and that the backups themselves are immutable once written.
Backup & recovery measures only work after an attack, and cost organizations in downtime and IT resources dealing with the attack and aftermath, so clearly, effective prevention is always a preferred strategy.
Organizations also must be able to continue to operate during the infection period and recover quickly once the infection has been removed. This is why continuity services are also a critical part of a ransomware defensive strategy.
Should firms ever pay a ransom?
We advise organizations never succumb to the pressure to pay the ransom to regain access to their applications and data.
There is no guarantee that cybercriminals can or will unlock files and payment only further motivates and finances attackers to expand their ransomware campaigns.
The key advice for a ransomware defense is to always be in a position where you don’t even need to consider paying the ransom.