Channel Post speaks to Majid Khan, the MSS Architect and CSOC Manager at Help AG, about Petya ransomware’s extent of damage, local and regional update, and the precautions and remediations companies need to take immediately
What is the extent of the damage caused by the Petya ransomware cyberattack?
WannaCry, the other major ransomware attack in recent memory, had a significantly large impact worldwide with over 230,000 systems being infected. By comparison Petya infections are in the few thousands. However, what’s important to note here is that this isn’t due to the complexity of the attack.
Instead, while Petya is technologically more sophisticated than WannaCry and leverages more exploits, it appears to be an extremely targeted attack that has been very successful against the organizations that hackers went after. Also, in terms of its ability to spread, Petya is highly infectious and once it has infiltrated the network, it spreads extremely quickly between systems.
Have any local or regional businesses been affected by the infection?
So far no regional businesses have reported falling victim and our MSS team hasn’t come across an instance of infection in any of the customer environments for which we deliver 24×7 security monitoring.
What are you as a security vendor doing to ensure your clients are not affected by such an attack or the affects of such an attack are mitigated?
There’s two aspects to Help AG’s role in such cyber-attacks. The first is in establishing and hardening the security posture of our customers so as to prevent such attacks in the first place. This involves not only the implementation of end-to-end security solutions, but also the identification of vulnerabilities, development and implementation of policies and frameworks and addressing the human behavior element through employee awareness initiatives.
Then there is what can be done after an attack- to mitigate the impact. In the case of ransomware, unfortunately, there is little that can be done once a system has been infected. The use of strong encryption as we have seen with WannaCry and now Petya makes this virtually impossible. Instead, through services such as Managed Security Services which delivers 24×7 Security monitoring, Help AG is able to identify an attack at the very early stages and prevent its spread. This limits the impact and helps keep business on track.
What sort of precautions or remediations do companies need to take in order to keep themselves safe from the Petya attack?
In the specific case of Petya, we have recommended the following precautionary measures:
- Review Microsoft Security Bulletin MS17-010 and apply the update.
- Update systems to latest version or patch as reported by the manufacturer.
- For systems without support or patches, it is recommended to isolate the from the network or turn off as appropriate.
- Disabling SMBv1 and blocking all versions of SMB (EternalBlue) at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
- Since the Petya ransomware also takes advantage of the Windows Management Instrumentation Command-line (WMIC) and PSEXEC tools to infect fully-patched Windows computers, organizations should also disable WMIC.
- Discover which systems, within your network, can be susceptible to attack through the vulnerability of Windows. Once identified, these systems should be isolated, updated and/or shut down.
There are also general best practices that should be followed which include:
- Don’t open attachments from untrusted email addresses
- Avoid opening Microsoft office files from untrusted sources.
- Regularly back up data and create a restore points.
- New signatures files for antivirus products are available. It is necessary to update the antivirus soon.
According to you, is the Petya attack more serious than the previous WannaCry attack?
It is more complex than WannaCry and the two prominent differences compared to Wannacry are that, Petya doesn’t just encrypt individual files on the system, but encrypts the Master Boot Record as well, rendering the system unbootable. And seemingly it is also known to spread using Windows Management Instrumentation Command-line (WMIC) and PSEXEC interface/utilities, so basically the protection used against Wannacry, just by patching the systems or disabling SMBv1 might not help when it comes to Petya.