Petya Ransomware Attack: A Wake Up Call
Just recently, we wrote about how in the aftermath of the WannaCry attack, companies should keep their guard up and be prepared for similar ransomware attacks: Enter the Petya attack.
The Petya family of malware is a ransomware variant that encrypts both the files and the partition of the hard drive, displaying a bootup message to the user. In other words, it’s the revenge of WannaCry- a bigger, badder attack with global reach.
But what really makes this attack interesting is: 1) yet again, hackers are leveraging the NSA’s exploit kits, and 2) machines running Windows 10 can also be infected this time around.
The SecurityScorecard research team performed an analysis of our proprietary data last week and found that there was SMB/Port 445 scanning activity that gives us insights on the Petya attack.
The spike of this scanning activity over the weekend may indicate that infections were attempting to automatically propagate across the internet. Additionally, this also may show a renewed interest by researchers who, like our team at SecurityScorecard, were working on identifying exploitable conditions before the malware strikes. The quick downturn after June 24th shows us that security practitioners may be quickly cleaning up their machines.
Immediate Lessons Learned:
- Close Port 445. If it’s open to the public, close it. This attack is proof that ransomware is going to continue to be the dominant malware family and that the equation group toolkit is going to continue to be leveraged.
- Windows 10 is no longer immune. As we alluded to earlier, the eternal blue exploit has been modified to successfully work against Windows 10, and that wasn’t the case when WannaCry was circulating.
- Improve Patching Cadence. There is no silver bullet, but maintaining healthy patching cadence will help ensure that your company is not the lowest hanging fruit.
- Train Employees on Phishing. The Petya malware originally arrived in the form of a phishing email. In other words, someone gets a suspicious email, opens the attachment, gets infected, and then the infected computer will start scanning the local network looking for vulnerable SMB services to exploit and infect. Ultimately there’s several preventative measures you can take, but if an employee clicks on a malicious attachment, your internal network is at risk.
- Continuously Monitor Indicative Factors. Again, the preventative measure that sets the framework for all the rest is having a robust and continuous risk management program that includes monitoring factors that may indicate potential risks for being the victim of such an attack. For example, poor patching cadence may be indicative of an exploit being possible versus benign and a low level of network security can indicate an environment that would allow for quicker propagation of malware.
The SecurityScorecard research team is currently running another global internet scan as well to identify exploitable conditions. Stay tuned for another update within the next 72 hours.