After WannaCry ransomware affects several companies across Europe, Russia, Ukraine and the US, the users are now falling victim to another cyber attack. It is an advanced variant of the Petya ransomware. The ransomware is known to use both the EternalBlue exploit and the PsExec tool as infection vectors and is detected as RANSOM_PETYA.SMA by Trend Micro.
“Similar to WannaCry ransomware, the Petya ransomware exploits SMB vulnerability, passing through SMB protocol, and exploits vulnerability which lies in Microsoft Operating System. To prevent the ransomware attack, firstly, companies should have proper segmentation of their network, most companies have horizontal network and there is no proper segmentation of network because of which the exploitation spreads very fast. The critical network and server should be properly segmented so that the penetration does not go beyond the segmentation of the network. Second thing is that companies must deploy host based intrusion firewall. They must enable firewall rule so that they can block the traffic coming from unknown sources. They also should make sure they patch the systems immediately,” said Nilesh Jain, Country Manager (India and SAARC), Trend Micro.
Trend Micro discovered that this Petya variant uses an advanced method to extract information from the infected system.
. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line, which is an interface that simplifies the use of Windows Management Instrumentation.
Below mentioned are some of the detailed steps that organizations can take to reduce the risk of infection by the variant of petya malware:
- Patch and update your systems, or consider a virtual patching solution.
- Enable your firewalls as well as intrusion detection and prevention systems.
- Proactively monitor and validate traffic going in and out of the network.
- Implement security mechanisms for other points of entry attackers can use, such as email and websites.
- Disable TCP port 445
- Restrict accounts with administrator group access
- Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
- Employ data categorization and network segmentation to mitigate further exposure and damage to data.
- Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
- Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems – especially the ones related to MS17-010.