On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.
The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of Ransom:Win32/Petya. This new strain of ransomware, however, is more sophisticated.
What should your businesses do to protect against these ransomware attacks?
The first thing is to patch and update systems that have out-of-date security patches. Microsoft notes:
To protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free anti-malware products, including Windows Defender Antivirus and Microsoft Security Essentials. You can download the latest version of these files manually at the Malware Protection Center.
The patch for this vulnerability was issued by Microsoft earlier this year. We advise organizations to update their systems immediately.
Additional advice for organizations seeking to protect themselves from this malware include:
1. Back up your critical systems’ files, and keep that backup offline.
2. Enable or implement intrusion detection and prevention systems.
3. Patch Management and check the currency of your patches.
4. Proactively monitor and validate traffic going in and out of the network especially on ports 139 and 445
1. Don’t execute attachments from unknown sources.
2. Push out signatures and AVs.
3. Use sandboxing on attachments.
4. Deploy application control to prevent suspicious files from executing on top of behavior monitoring
5. At firewalls, look for evidence of Command & Control.
6. Segment network, to limit the spread of the malware and back up data being encrypted.
7. Ensure that Remote Desktop Protocol is turned off, and/or is properly authenticated and otherwise limit its ability to move laterally.
1. If affected, don’t pay.
2. Share fact-of infiltration with trusted organizations, to assist with overall community efforts to diagnose, contain, and remedy.
Ransomware is likely to continue as a threat to businesses for some time. To ensure it is being accounted for, IT operations and security teams should budget accordingly to implement the appropriate solutions for ransomware, and create appropriate response plans in the event that there is a ransomware attack. The response preparation should include establishing relationships with law enforcement agencies.
ChannelSOC provides a managed Security Information and Event Management (SIEM) and security operation center (SOC) solution that is powered by AlienVault and a team of security engineers to provide real-time security alerting and intelligence without the cost, complexity of do-it-yourself deployments.
Be Safe out There!