Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Petya / Petna / NotPetya Ransomware Recommendations from the Trenches
Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats, including WannaCry. In the wake of yesterday’s Petya attack, I thought it would be prudent to update that blog again and reinforce concepts discussed therein.
Petya’s attribution and ultimate goal is still a fluid situation, so I’m not going to touch on attribution, as it is a very difficult topic and with the investigation still in its early stages, individuals should not jump to conclusions. However, organizations should always look to ascertain the intent of an attack, as this could shed light on why you have been targeted and understand what additional stages of an attack can include to further enact controls to continuously reduce risk.
Delivery methods were different from WannaCry, and while they shared some behavior, Petya is both a bigger and lesser threat. Petya’s delivery method was centralized around the MeDoc financial software, as well as a watering hole delivered via a Ukrainian university. Unless your organization uses MeDoc or a user visited the watering hole, your threat landscape is greatly reduced. However, that doesn’t mean Petya isn’t a good lesson to learn from. There are some critical things to remember when dealing with Petya, ransomware, and malware in general:
Backups – It is critical for organizations to have a consistent, tested disaster recovery plan that includes solid backups. This remains true concerning Petya, as Petya can completely disable a system at the drive level. The hosting service where the payment email was located shut down the email account early in the infection cycle, so paying the ransom is not an option. Optiv does not recommend paying the ransom anyway; therefore, from a recovery perspective, companies must have tested, functional backups.
Patch – WannaCry harnessing the ETERNALBLUE exploit for propagation reinforces the fact that malware developers are actively seeking new methods of infecting systems and not just sticking to tried-and-true methods. Petya also harnessed ETERNALBLUE, though in a supplemental capacity.
Network Segmentation and User Access Restriction – Network segmentation is a vast and complex topic that exceeds the scale of this blog, but properly segmenting a network is a key safety feature against malware. Petya specifically harnessed WMIC to propagate via stolen credentials. In a segmented and properly restricted network, it would not have been able to propagate.
Endpoint Monitoring – Tools that give a team visibility into the behavior occurring on the endpoint is tremendously useful in combating ransomware. This is even more critical with ransomware threats. Visibility into activity on an endpoint can help incident responders and threat hunters stop attacks before they become incidents.
AppLocker and Software Restriction GPOs – A low-cost and effective way to restrict malware (not just ransomware) from running on systems is AppLocker and associated software restriction GPOs.
Email Filtering – Filtering extensions in email will stop a lot of malware attacks in its tracks. Petya is an exception to many ransomware campaigns in that it uses external software to infiltrate a network and infect systems. Future versions of ransomware, however, may use email delivery as an infection vector. Current ransomware campaigns like Locky are actively using email as an infection vector, so it never hurts to be prepared.
Cloud Access Security Broker (CASB) – CASBs are a helpful way to block traffic calling home to ransomware command and control servers.
Security Awareness Training – In the long run, it doesn’t matter what tools are implemented if a user is actively clicking on malicious attachments or taking actions that violate the acceptable use policy for a network. While WannaCry did not harness traditional methods of exploiting the human factor to propagate, future versions may do so.
WannaCry and Petya are outliers compared to traditional ransomware. However, more and more malware will use these methods as the threat landscape develops. The propagation methods are a sign of things to come, so companies must understand their environments and the capabilities of their staff. Additionally, since both WannaCry and Petya have leveraged tools and vulnerabilities widely released, organizations must stay abreast with further releases that could be continuously weaponized for espionage, financial crime, or other malicious activities. The items covered in this post are very high-level recommendations but should provide a starting point for protecting against ransomware. However, the best defense is planning, preparation and effective controls—having a solid cyber security program in place and actively monitoring and adapting as threats evolve.
Let us know what you need, and we will have an Optiv professional contact you shortly.