Don’t Pay the Ransom: How to Protect your Networks Against Petya

Another nameless, faceless adversary (or as the U.S Army calls them “the enemy with no face”) struck again in the last week of June. Hot on the heels of WannaCry attack in May, the Petya ransomware campaign brought widespread disruption to organizations, government agencies, and infrastructure worldwide. Like WannaCry, the ransomware targets Windows systems, encrypts the contents of the hard disk, and demands a $300 bitcoin ransom for file recovery.

As of the time of writing, Petya’s source has yet to be identified and the ransomware attack is far from under control. According to DLT partner, McAfee, “the cyberattack appears to be an “updated variant” of the Petya malware virus. It uses the SMB (Server Message Block) vulnerability that WannaCry did, however in the case of Petya it encrypts, among other files, your master boot file. These messages recommend you conduct a system reboot, after which the system is inaccessible. This basically means the operating system won’t be able to locate files.”

Ransomware Attacks are Just Beginning – Patching isn’t Sufficient Armor

McAfee CEO, Chris Young, speaking to Bloomberg, says these ransomware attacks are just the beginning of an evolving problem. Instead of single instances where users get phished, ransomware has advanced into “hybrid attacks”. For example, cyber attackers are now using different types of exploits to go after user credentials and “attack machines that aren’t necessarily unpatched,” said Young. “We’re now seeing the evolution of ransomware where they’re trying to move from individuals… to trying to infect entire networks…that’s the next step of the evolution we’re seeing here with Petya.”

What Can you do to Stay Secure?

Microsoft issued a patch for the vulnerability in April (although not everyone may have installed it), DLT cybersecurity partners have issued several recommendations and best practices that our customers can take to protect themselves.

In his Bloomberg interview, McAfee’s Chris Young advised users to patch any vulnerabilities they’ve been alerted to in their environments. Then, update all your cybersecurity defenses (software, monitoring and alerting capabilities, and alert users to be on the defense). In this article, McAfee also stresses additional measures such as ensuring your anti-virus is up-to-date, educating users to verify links before they click on them, and backing-up all your machines immediately to protect data.

McAfee offers early protection for components of the initial Petya attack in the form of advanced malware behavior analysis with Real Protect Cloud and the brand-new Dynamic Neural Network (DNN) analysis techniques available in McAfee Advanced Threat Defense (ATD). ATD 4.0 introduced a new detection capability using a multilayered, back-propagation neural network (DNN) leveraging semi-supervised learning. Read more about McAfee Endpoint Security and how it can help contain the attack or prevent further execution.

If you’re a Symantec customer, check out these FAQs for about the attack, how it may impact you, and the protections Symantec has put in place to guard customers against these attacks.

ForeScout, who provides an agentless approach to network security, has also issued guidance for its customers.

Meanwhile Akamai, the global leader in Content Delivery Network (CDN) services, is closely monitoring all Akamai assets. Due to the nature of the Akamai platform, the infection vectors used by Petya can’t be transmitted through its web acceleration or web security networks to customer networks. The ports used by the malware are dropped at the ingress points. Within customer networks, current Akamai products will not have visibility into the lateral spread or infection methods used by Petya. As such, Akamai has issued customer recommendations which you can read here.

If you’re a Palo Alto Networks user, you are also covered. Multiple complementary prevention controls across its Next-Generation Security Platform employ a breach prevention-based approach to automatically stop threats across the attack lifecycle. Read more about those controls in the context of Petya here.

But What Does It Really Take to Achieve Protection Against Emerging Ransomware Attacks?

Defending your agency against “the enemy with no face”, takes more than point solutions. You need a holistic approach that stresses threat hunting and detection (such as that offered by DLT partner, Sqrrl), advanced prevention of attacks against your systems and data (on your network or in the cloud), a correction of vulnerabilities, and a governance, risk management and compliance posture that enforces ground rules and accountability. Faced with a plethora of options, DLT’s cybersecurity partnerships, expertise and solutions can help your agency understand the solutions available and which ones will work best for your agency.

Check out our resources page to learn more about understanding and confronting “the enemy with no face.”