Let’s hope WannaCry was a wake-up call for customers, driving them to put protections in place, because a new strain of Petya ransomware is taking advantage of the EternalBlue exploit — for which Microsoft issued a patch months ago.
Carbon Black co-founder and CTO Mike Viscuso says the attack leverages the same exploit as WannaCry, but with a different payload; it also can do more damage on PCs where users run with administrative privileges because it can overwrite the Master Boot Record (MBR) with customized, malicious code, keeping a system from booting up until ransom is paid. There is also no kill switch, so far.
Carbon Black has code analysis here. And, BeyondTrust VP and CTO Morey Haber offers a deep dive into the differences between WannaCry and Petya and says that the initial exploitation does require administrator rights, so customers need to be running a least privilege solution or have removed end-user administrator rights.
What’s not new is how to protect customers and your own business. To recap the basics:
- Keep all software up to date and patched. Most ransomware exploits known vulnerabilities for which software vendors have issued fixes. If you are running an unsupported (read: manufacturer no longer puts out security patches) or bootleg version of software, get a new plan. Looking at you, Windows XP users.
- Use a good email spam filter service. Most malware gets in when an end user clicks on a link or downloads an attachment that looks legit, but isn’t. By weeding out a large percentage of phishing emails, a key benefit of spam filters, you reduce the odds of a user being fooled. It’s simple math.
- Educate all end users regularly, and have a signed security policy. Data security is not the job of the security team. It’s up to everyone. Schedule monthly or quarterly lunch-and-learn sessions where an IT team member or your service provider goes over the latest phishing techniques. Have all employees, from the CEO on down, sign an agreement covering expectations. You don’t need to start from scratch; Google “security policy templates” and you’ll find plenty of companies offering help, or for a free DIY template, look for the SANS link.
- Have an isolated backup plan. Unfortunately, some malware will sit idle on your servers for a length of time in an effort to encrypt backups, so keep isolated, point-in-time snapshots. Continually overwriting means you will back up the malware. Ask your backup and disaster-recovery provider about isolated recovery solutions that are stored in an off-site, secure location that’s walled off from production facilities. Learn more here.
- Test your disaster-recovery plan regularly. Could you wipe systems to bare metal and start over, while keeping employees productive in a pop-up environment? That’s the best-case response to the worst-case ransomware scenario. However, once the clock is ticking to pay up in bitcoin or lose data is not the time to find out if your DR plan works. Modern DRaaS providers allow for, and encourage, regular drills. If yours doesn’t, find one that does.
- Don’t think that because you use a public cloud you’re immune. AWS, Azure and other providers have a shared responsibility model. In general, from the virtual machine on up, patching and other security precautions are 100 percent the customer’s responsibility. Both AWS and Azure will send alerts if they see you doing something stupid, so pay attention.
- Follow and support industry efforts like #NoMoreRansom. Ransomware is getting more sophisticated. If an attack group really wants to take down a particular company, they can use malware that can penetrate a hard drive’s firmware or even figure out a company’s backup and data-retention schedule and lie in wait. Industry consortiums like The No More Ransom project work to take down these groups and issue decryption keys. The site is an excellent resource for up to date information.
A few final thoughts: Check out NoMoreRansomware for more tips. Be prepared with a bitcoin wallet, just in case. Don’t dither. Decide if it’s feasible to go to bare metal and restore. If not, pay up sooner rather than later. Circle back and find out how they got in — then close the door. Report the breach to insurers and local and federal law enforcement.