An increasing number of companies across Europe, Ukraine, Russia, and the US are falling victim to another cyber attack after the outbreak of recent WannaCry ransomware attack. This large-scale ransomware attack is reported to be caused by a variant of the Petya ransomware and is currently hitting various users. The ransomware is known to use both the EternalBlue exploit and the PsExec tool as infection vectors and is detected as RANSOM_PETYA.SMA by Trend Micro.
Nilesh Jain, Country Manager [India and SAARC], Trend Micro said
Similar to WannaCry ransomware, the Petya ransomware exploits SMB vulnerability, passing through SMB protocol, and exploits vulnerability which lies in Microsoft Operating System. To prevent the ransomware attack, firstly, companies should have proper segmentation of their network, most companies have horizontal network and there is no proper segmentation of network because of which the exploitation spreads very fast.
The critical network and server should be properly segmented so that the penetration does not go beyond the segmentation of the network. Second thing is that companies must deploy host based intrusion firewall. They must enable firewall rule so that they can block the traffic coming from unknown sources. They also should make sure they patch the systems immediately.
Nilesh Jain further added
Companies who have been impacted should segment their infected areas from the rest of the network, so that it doesn’t propagate further. The problem is that, these kinds of ransomware attacks keep on coming and you cannot keep on patching the moment the attack comes in. Our advice to the companies is to make sure that they have a proactive mechanism of protecting from the vulnerability and to deploy Trend Micro Deep Security which works in the same direction. Trend Micro also protects its customers against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen security. Also, our technical support representatives are constantly available to resolve customer queries and we are conducting webinars to create awareness among companies and individuals.
Trend Micro discovered that this Petya variant uses an advanced method to extract information from the infected system. Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line [WMIC], which is an interface that simplifies the use of Windows Management Instrumentation [WMI].
Below mentioned are some of the detailed steps that organizations can take to reduce the risk of infection by the variant of petya malware:
- Patch and update your systems, or consider a virtual patching solution.
- Enable your firewalls as well as intrusion detection and prevention systems.
- Proactively monitor and validate traffic going in and out of the network.
- Implement security mechanisms for other points of entry attackers can use, such as email and websites.
- Disable TCP port 445
- Restrict accounts with administrator group access
- Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
- Employ data categorization and network segmentation to mitigate further exposure and damage to data.
- Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
- Ensure that all of the latest patches [if possible using Virtual Patching solution] are applied to affected operating systems – especially the ones related to MS17-010.
For more information, please visit the detailed blog by Trend Micro
About Trend Micro
Trend Micro Incorporated, a global leader in cyber-security solutions, helps to make the world safe for exchanging digital information. Their innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. With over 5,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro enables organizations to secure their journey to the cloud. For more information, please visit Trend Micro