Network Security: How Enterprise Can Tackle Petya Ransomware Attack

Spotlight on Network Security |

An increasing number of companies across Europe, Ukraine, Russia, and the US are falling victim to another cyber attack after the outbreak of recent WannaCry ransomware attack.

This large-scale ransomware attack is reported to be caused by a variant of the Petya ransomware and is currently hitting various users. The ransomware is known to use both the EternalBlue exploit and the PsExec tool as infection vectors and is detected as RANSOM_PETYA.SMA by Trend Micro.

“Similar to WannaCry ransomware, the Petya ransomware exploits SMB vulnerability, passing through SMB protocol, and exploits vulnerability which lies in Microsoft Operating System. To prevent the ransomware attack, firstly, companies should have proper segmentation of their network, most companies have horizontal network and there is no proper segmentation of network because of which the exploitation spreads very fast. The critical network and server should be properly segmented so that the penetration does not go beyond the segmentation of the network. Second thing is that companies must deploy host based intrusion firewall. They must enable firewall rule so that they can block the traffic coming from unknown sources. They also should make sure they patch the systems immediately,” said Nilesh Jain, Country Manager (India and SAARC), Trend Micro.

Commenting on this issue, Arnd Baranowski, CEO of Oculues says that these ransomware attacks are on operating system and mainly affects the systems with vulnerable operating systems that are not up-to-date and that are not protected well enough against external access via firewalls.

“A ransomware attacks should be considered as a fatal hardware crash. This means that the data and system is simply lost. Do not try to regain the control by paying the requested ransom. Paying will just encourage the fraudsters and hackers to continue their activities and strategies. Even if you pay, the system will certainly need to be rebuilt. We recommend following standard security and access control practices – like keeping OS systems updated and managing remote access with a secured VPN – to minimize exposure to ransomware and other similar attachs,” he explained.

Nilesh Jain further added, “Companies who have been impacted should segment their infected areas from the rest of the network, so that it doesn’t propagate further. The problem is that, these kinds of ransomware attacks keep on coming and you cannot keep on patching the moment the attack comes in. Our advice to the companies is to make sure that they have a proactive mechanism of protecting from the vulnerability and to deploy Trend Micro Deep Security which works in the same direction. Trend Micro also protects its customers against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen™ security. Also, our technical support representatives are constantly available to resolve customer queries and we are conducting webinars to create awareness among companies and individuals.”

Trend Micro discovered that this Petya variant uses an advanced method to extract information from the infected system. Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line (WMIC), which is an interface that simplifies the use of Windows Management Instrumentation (WMI).

Below mentioned are some of the detailed steps that organizations can take to reduce the risk of infection by the variant of petya malware:

•Patch and update your systems, or consider a virtual patching solution.
•Enable your firewalls as well as intrusion detection and prevention systems.
•Proactively monitor and validate traffic going in and out of the network.
•Implement security mechanisms for other points of entry attackers can use, such as email and websites.
•Disable TCP port 445
•Restrict accounts with administrator group access
•Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
•Employ data categorization and network segmentation to mitigate further exposure and damage to data.
•Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
•Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010.

Advisory from Kaspersky Lab

Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya.

The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.

This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.

Kaspersky Lab detects the threat as UDS:DangeroundObject.Multi.Generic.

Kaspersky Lab experts aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.

Kaspersky advises all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.

Kaspersky Lab corporate customers are also advised to:

•Check that all protection is activated as recommended; and that they have enabled the KSN/System Watcher component.
•Use the AppLocker feature to disable the execution of any files that carry the name “perfc.dat”; as well as the
•PSExec utility from Sysinternals Suite.