by Bharat Mistry
On Tuesday 27 June reports began flooding in of another WannaCry-style ransomware epidemic causing havoc to organisations around the world. Within hours it had apparently infected big-name firms, utility companies, government departments and many others.
Trend Micro’s global team of threat researchers has been following this rapidly developing ransomware attack campaign closely, so here’s what UK IT leaders need to know.
What is this latest attack?
It is a variant of Petya, a ransomware family first seen back in 2016 and detected by Trend Micro as RANSOM_PETYA.SMA. After successfully infecting a machine, this version will modify its Master Boot Record (MBR) rendering the system unbootable and ensuring users are locked out while a ransom note is displayed, demanding $300 in Bitcoins. It then encrypts 60+ file types focused specifically on those used most frequently in enterprise settings – image and video file types for example are spared.
Affected organisations are urged NOT TO PAY the ransom as the email account used by the attackers to validate payments has been deactivated by the provider Posteo.
How does it spread?
This threat will first try to spread via a modified version of PsExec, a legitimate system administration utility, to install the ransomware. If unsuccessful, it abuses Windows Management Instrumentation Command-line (WMIC), another legitimate scripting interface, to execute the ransomware in the machine. It’s thought that using legitimate tools like this helps it evade traditional security controls.
Only if these tactics fail will the threat resort to the same infection vector as WannaCry: the NSA’s EternalBlue exploit which targets (MS17-010), a vulnerability in Windows’ Server Message Block.
To help it spread locally, the threat also drops a version of Mimikatz, a legitimate security tool which will extract usernames and passwords from the targeted machine. If that PC has admin credentials on board then the threat could spread to every machine on the network via PsExec/WMIC.
How do I mitigate the threat?
As you can see, this threat is more complex than WannaCry, with multiple infection methods built in. That means the most effective way to mitigate risk is via a multi-layered defence-in-depth approach. This should include:
User Awareness is vital, being vigilant before opening emails from unknown sources or clicking on links that don’t quite look right. Also quickly make users aware of what to do should if they think they have received a suspicious email or being encouraged to visit a harmful site
Updating systems with the latest patches to lock down the risk of exploitation via EternalBlue. Consider virtual patching if for some reason you can’t implement vendor patches straightaway.
Apply “least privilege” policy to all corporate PCs to help restrict its spread.
Restrict and secure system administration tools such as PowerShell and PsExec.
Disable tools and protocols on systems that don’t require them. Start by blocking TCP port 445.
Back up regularly according to 3-2-1 rule: 3 backup copies on 2 different media with 1 backup offsite.
Proactively monitor networks for suspicious behaviour.
Behaviour monitoring can block unusual activity such as encrypting systems.
Email gateway security and URL categorisation to block malicious sites can further reduce attack surface.