Petya ransomware has already been around for months as a more traditional malware that spreads through e-mail. The new developments in this case involve the addition of tips and tricks taken from WannaCry ransomware, the last big thing that hit the world close to a month ago. Instead of just relying on e-mail, the malware now targets actual vulnerabilities in autonomous fashion. The exploit coined Eternal Blue is also involved here in helping the malware spread.
As reported on May 12, 2017 a ransomware variant called WannaCry became quickly famous after striking various companies and organizations around the world. According to the latest estimates, the ransomware has hit over 230,000 computers in 150 countries being far and away the most severe malware attack this year and the largest global ransomware attack in Internet history. Even if the ransomware seems severe globally, the situation, however, is much different and under control in the Nordic countries due to the fact that the level of information security is higher in general.
Ransomware like WannaCry works by encrypting files on a user’s computer. Then, the software demands a ransom to be paid in Bitcoins in order to have the files decrypted. If the victim refuses to pay WannaCry will delete all of the encrypted files and all data will be lost.
What makes WannaCry so fast-spreading and unique, is the fact that it does not require any user interaction to activate the ransomware as it spreads from machine to machine as a worm-like trojan. It utilizes a malware technique that was common in the beginning of 21st century but exploits a fresh vulnerability in Microsoft Windows operating system. The usage of a worm feature is not surprising as it seems that the ransomware was put together by a bunch of amateurs that had utilized components developed by others or stolen by third parties from other sources such as NSA. All in all, it is quite visible that the attackers did not clearly understand the logic of the extortion business and the situation is not under their control; the WannaCry hackers have received lots of attention from authorities but only a little money from the ransomware.
How to prevent being infected by WannaCry?
The first version of WannaCry was identified in February and Microsoft released a patch for the EternalBlue exploit used by the WannaCry in March - nearly two months before the initial attack. Unfortunately organizations that lacked this security patch were affected. Therefore, it is of utmost importance to make sure that all your devices are patched for known vulnerabilities periodically. If you haven’t updated your Windows software recently, do it now. Microsoft has gathered patches for all currently supported versions of Windows which can be found here.
Back to the basics
Even though WannaCry was amateurish, it's very likely that in the future, we will see more corporate-targeted ransomware campaigns with worm features. Cybersecurity threats are complicated to deal with and especially this type of ransomware, but there is a lot one can do to be prepared. Let’s begin by getting the basics in place when it comes to cybersecurity. By this way organizations have far better chances of fighting against malware such as WannaCry.
Make sure that you have taken the following steps:
- Ensure that all your devices have up-to-date antivirus protection software in use.
- Make sure that you take backups on a regular basis, store those offline and test recovery continuously.
- Keep the software on all your devices up to date to prevent exploits.
- Ensure that you don’t have internal systems and services, such as SMB that was exploited by WannaCry, exposed to Internet
- As a rule, don’t open email attachments that are sent by someone you don’t know. Also disable macro scripts of all Office files.
- Limit the use of browser plugins. Disable commonly exploited ones, such as Flash Player and Silverlight, when you’re not using them.
- Make sure that your company’ personnel has the needed information how to deal with cybersecurity.
In case you suspect a malware, execute a thorough investigation including manual analysis and real-time investigation of the data that flows between your systems and assets in order to ensure your environment is not affected nor compromised. It is utmost important to react to the anomalies with highest precision and professionalism, which is the key to success, when detecting advanced and targeted attacks.