Nick Hyatt is a senior consultant with Optiv’s enterprise incident management practice. In this role, he specializes in incident response, threat hunting and digital and malware forensics.
Petya / Petna / NotPetya Ransomware Recommendations from the Trenches
Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, including WannaCry. In the wake of yesterday’s Petya attack, I thought it would be prudent to update that blog again and reinforce concepts discussed therein.
Petya’s attribution and ultimate goal is still a fluid situation, so I’m not going to touch on attribution, as it is a very difficult topic and with the investigation still in its early stages, individuals should not jump to conclusions. However, organizations should always look to ascertain the intent of an attack, as this could shed light on why you have been targeted and understand what additional stages of an attack can include to further enact controls to continuously reduce risk.
Delivery methods were different from WannaCry, and while they shared some behavior, Petya is both a bigger and lesser threat. Petya’s delivery method was centralized around the MeDoc financial software, as well as a watering hole delivered via a Ukrainian university. Unless your organization uses MeDoc or a user visited the watering hole, your threat landscape is greatly reduced. However, that doesn’t mean Petya isn’t a good lesson to learn from. There are some critical things to remember when dealing with Petya, ransomware, and malware in general:
Backups – It is critical for organizations to have a consistent, tested disaster recovery plan that includes solid backups. This remains true concerning Petya, as Petya can completely disable a system at the drive level. The hosting service where the payment email was located shut down the email account early in the infection cycle, so paying the ransom is not an option. Optiv does not recommend paying the ransom anyway; therefore, from a recovery perspective, companies must have tested, functional backups.
- Provides easy recovery from ransomware attacks – wipe the infected system and restore from backup.
- Test backups at regular intervals to make sure data is valid and useful.
Patch – WannaCry harnessing the ETERNALBLUE exploit for propagation reinforces the fact that malware developers are actively seeking new methods of infecting systems and not just sticking to tried-and-true methods. Petya also harnessed ETERNALBLUE, though in a supplemental capacity.
- There are myriad attack surfaces in an environment.
- Be sure systems are always up-to-date and patched to the latest version of the operating system and software.
- If possible, remove commonly vulnerable programs like Flash and Java from the environment.
Network Segmentation and User Access Restriction – Network segmentation is a vast and complex topic that exceeds the scale of this blog, but properly segmenting a network is a key safety feature against malware. Petya specifically harnessed WMIC to propagate via stolen credentials. In a segmented and properly restricted network, it would not have been able to propagate.
- Ensure your network is segmented so that mission-critical systems are isolated from standard endpoints.
- Ensure user and system accounts are provisioned under the concept of least privilege.
Endpoint Monitoring – Tools that give a team visibility into the behavior occurring on the endpoint is tremendously useful in combating ransomware. This is even more critical with ransomware threats. Visibility into activity on an endpoint can help incident responders and threat hunters stop attacks before they become incidents.
- Due to the rapidly changing nature of ransomware infections, organizations must have multi-faceted endpoint protection.
- Endpoint monitoring solutions allow visibility into processes and network traffic running on endpoints.
- Endpoint monitoring solutions can block rogue processes pending further verification.
AppLocker and Software Restriction GPOs – A low-cost and effective way to restrict malware (not just ransomware) from running on systems is AppLocker and associated software restriction GPOs.
- Full documentation is available from Microsoft and is completely free.
- Features are similar to the software restriction policies of previous Windows versions.
- AppLocker is a more robust tool that provides more granular control over program execution.
Email Filtering – Filtering extensions in email will stop a lot of malware attacks in its tracks. Petya is an exception to many ransomware campaigns in that it uses external software to infiltrate a network and infect systems. Future versions of ransomware, however, may use email delivery as an infection vector. Current ransomware campaigns like Locky are actively using email as an infection vector, so it never hurts to be prepared.
- Optiv recommends blocking executable and zip file attachments, and filtering all other attachments for manual review.
- Safer to block attachments and use a secure transfer option than to allow attachments that may harbor malicious software.
Cloud Access Security Broker (CASB) – CASBs are a helpful way to block traffic calling home to ransomware command and control servers.
- Protects against more than just ransomware including traditional malware, botnets, etc.
Security Awareness Training – In the long run, it doesn’t matter what tools are implemented if a user is actively clicking on malicious attachments or taking actions that violate the acceptable use policy for a network. While WannaCry did not harness traditional methods of exploiting the human factor to propagate, future versions may do so.
- Security awareness training is an effective method of reducing the susceptibility of humans to ransomware campaigns.
- Companies should include how to spot phishing attempts, user created vulnerabilities, and how to spot malicious downloads as part of their training courses.
WannaCry and Petya are outliers compared to traditional ransomware. However, more and more malware will use these methods as the threat landscape develops. The propagation methods are a sign of things to come, so companies must understand their environments and the capabilities of their staff. Additionally, since both WannaCry and Petya have leveraged tools and vulnerabilities widely released, organizations must stay abreast with further releases that could be continuously weaponized for espionage, financial crime, or other malicious activities. The items covered in this post are very high-level recommendations but should provide a starting point for protecting against ransomware. However, the best defense is planning, preparation and effective controls—having a solid cyber security program in place and actively monitoring and adapting as threats evolve.