News is currently breaking about a new widespread ransomware attack, striking large multinational companies across Europe, with Ukraine’s government, banks, state power utility and Kiev’s airport and metro system particularly badly affected. IT security experts commented below.
Ermis Sfakiyanudis, Cybersecurity Expert and CEO at Trivalent:
“The newest global cybersecurity breach successfully utilized a type of ransomware that researchers argue may be a variant of the Petya ransomware, or something with a similar design, in order to attack computers around the world, including a number of infections now reported in the U.S. This latest ransomware outbreak is yet another example that encryption alone—no matter how well implemented—is no longer ‘good enough’ to protect data against next generation threats. The only way to get ahead of these increasingly sophisticated threats is to approach data breaches as an inevitability and protect data at the file level so, even if a system is breached, the information remains completely unusable to unauthorized users.”
Chris Goettl, Manager, Product Management at Ivanti:
Several critical vulnerabilities with known exploits or proof-of-concept code should be the focus of everyone’s attention. The SMB exploits (EternalBlue and its siblings) resolved in Microsoft’s March Patch Tuesday update are just the start. Reportedly these are the same vulnerabilities the latest Petya variant uses. And we shouldn’t rely on a kill switch to save the day.
In addition, two more updates for known vulnerabilities, released on June Patch Tuesday, warrant attention.
CVE-2017-8543 – A vulnerability in Windows Search could allow an attacker to take complete control of the system. It could also be exploited over the network without authentication through SMB. It was flagged as “Exploited” when Microsoft released the update on June Patch Tuesday.
CVE-2017-8464 – A vulnerability in Microsoft Windows could allow remote code execution if an LNK file is processed. An attacker could craft a shortcut icon that provides the same rights as the local user. It’s a perfect USB drop scenario.
Microsoft went a step further, given recent attacks, and released updates for XP, Vista, and 2003 – The updates go as far back as MS08-067, which plugged the vulnerability Conficker used to infect more than 15 million machines back in 2008.
Make sure you have the latest cumulative Security updates for Windows 7 and Server 2008 R2 up through Windows 10 and Server 2016 in place. This covers the Eternal family of vulnerabilities and the two latest known exploited vulnerabilities.
If you are using the Security Only bundle instead of the Monthly Cumulative Rollup, you need the Security Only bundle from March, April, or May to resolve the original SMBv1 vulnerabilities. You also need the June Security Only bundle to resolve the two latest exploits, including the new SMB vulnerability. By OS you should have the following KBs applied:
Windows 7\Server 2008 R2
Windows Server 2012
Windows 8.1\Server 2012 R2
For those of you still running Windows XP, Vista, 8, or Server 2003, we recommend you have all the Bulletins and KBs described in the document in place on your systems. All are publicly downloadable, even those released after end of life for each operating system.
Finally, if you haven’t yet, here are some additional security controls you should implement to defend against attacks like this:
Application control – Whitelisting can help you defend against untrusted payloads and is one of the most effective security measures to defend against ransomware. Patching plugs the holes attackers use to get onto a system, but in the case of zero days and fileless attacks, whitelisting can block the payload trying to execute (in this case, the ransomware and propagation to other systems).
Threat protection – Antivirus (AV) can’t be considered a first line of defense. In most cases, the latest attack could hit several systems before AV catches up to defend against it. Attacks like WannaCry and Petya can spread so quickly that AV can’t stop them before the damage is done. That said, though? AV is still a necessary layer of defense that can limit propagation and stop attacks in their tracks.
HIPS (host intrusion prevention system) – While often more difficult to tune, making them harder to implement, HIPS or IPS systems are a great line of defense against attacks such as this. The SMB exploits follow reference implementations a HIPS system could identify, report on, and shut down before the attack hits the system.
User education\training – With WannaCry and Petya, exploiting SMB was likely not the first entry point into environments. It was more likely user-targeted attacks (phishing, drive-by downloads, watering hole attacks, etc.), or possibly systems attackers already controlled using CnC infections they put in place earlier. From there the malware used the SMB vulnerabilities to spread rapidly. Any one entry point is enough, if you have not patched those vulnerabilities, so user awareness is important.
Backup and restore – With ransomware so commonplace, it’s even more important to have backup software at critical endpoints. With WannaCry, and so far with Petya, the number of ransoms paid was very small. Having a recent backup allows companies to re-provision and restore user data quickly to get back up and running.
Provisioning – Having a Unified Endpoint Management (UEM) solution seems like an operational issue: it enables the team to manage systems in a heterogenous environment. But there are Response capabilities in that UEM platform that are essential to combat cyber threats today. Any credible security practitioner will say that paying the ransom is a bad idea, and that having good backups and re-provisioning the system and restoring the data is the more efficient way to recover from a ransomware attack.
Gordon Mackay, EVP, Chief Technology Officer at Digital Defense:
“Microsoft released a patch for the MS17-010 issue back in March 14th 2017. Organizations who have not patched for the MS17-010 SMB vulnerability are vulnerable to EternalBlue and therefore, also to the Petya Ransomware outbreak. Organizations should continually assess their networks using a reputable Vulnerability Management scanning solution in order to gauge what systems are vulnerable to the EternalBlue issue. Organizations should also patch their Windows systems for this, or take mitigation actions, such as disabling Server Message Block (SMB) temporarily on affected systems.”
Eldon Sprickerhoff, Founder and Chief Security Strategist at eSentire:
“GoldenEye is a particularly virulent strain of the Petya ransomware that leverages the bones of Petya, but course-corrects weak spots in the original Petya strain. Like its predecessor, GoldenEye makes decryption very difficult. Creators improved the effectiveness of the strain by leveraging exploits associated with WannaCry. Early indicators show that companies who failed to update system patches are most susceptible. Businesses relying solely on anti-virus will also face increased risk, as most AV systems will be incapable of detecting GoldenEye – new hashes are emerging quickly, which means AV will have difficulty keeping up.”
Eldon added, “Our threat intelligence team has seen at least three different ransomware flavors emerge recently: the rapid deletion of files, exfiltration of data, and a new variant which works to lock down passwords before encryption, making backup restoration particularly tricky. GoldenEye, in particular, amplifies the rapid evolution of ransomware. Attacks are becoming more widespread, are moving faster, and are harder to kill. Businesses worldwide should treat this attack as an early warning: take this as an opportunity to ensure that backups and system patches are up-to-date, and tested. Ransomware is not going away; attacks like this will increase in frequency and sophistication.”
Philip Lieberman, President at Lieberman Software:
“The quality and nature of cybersecurity within Europe is generally exceedingly poor compared to the United States. Government and industry are not operating in a cooperative manner as they do here in the US and the level of investment in security is comparatively very low as compared to here. At its core, Europe is a soft target for cyber attacks and there is little they have done to prepare or to react to the attacks. The lack of information technology security infrastructure and preparation is minimal in both government and businesses because of cultural and financial decisions of the last 20 years.”
Jonathan Sander, CTO at STEALTHbits Technologies:
“Ransomware related to the Petya family hitting business in Ukraine may be news, but the reasons are far from new. Reports are that this is using a phishing attack to penetrate organizations, and spreading through the same vulnerabilities that WannaCry and even older malware used.
It’s hard to imagine there wasn’t some system admin or security pro in these organizations begging for the resources to fix these well-known and fully exploited issues.
As business leaders continue to ignore the “eat right and exercise” advice from their security pros, we can’t be surprised when they are having the cyber security equivalent of heart failure.
As long as organizations fail to address basic security problems, they will be victims of common attacks.”
Amichai Shulman, Co-Founder and CTO at Imperva:
“At the end of the day, all ransomware is basically the same. Hackers via the ransomware malware are making files unavailable to users and as a consequence disrupt the operations. As long as the infection and effect of the ransomware is constrained to end points, the damage to organizations should be minimal. That is key.
Some might say – why after WannaCry are systems still unpatched? The issue of patching is irrelevant when looking at a potentially self-replicating malware like Petya because in any large network there will be some unpatched devices. By protecting file servers (e.g. deploying file firewall solutions) rather than focusing on endpoints organizations can minimize the effect of such incident and avoid disruption to business.
One interesting aspect of Petya is clearly attribution. As demonstrated by WannaCry, rapidly replicating ransomware is not a viable financial model. This data supports the argument that this malware is nation state driven and is only aimed at disrupting operations rather than monetizing on the ransom.”
Csaba Krasznay, Security Evangelist at Balabit:
“Based on the lessons we learned from the WannaCry ransomware incident, the most important thing – at this phase – is incident management and real-time information flow.
Organizations need to make sure that in these critical hours they do not cause even more damage. Security professionals should collect all their evidence for forensics analysis. For instance, store all their log messages and record all their activities with session management solutions – in case the system needs to be restored as a result of a human error.”
“The 5 typical ransomware spreading stages are:
* 1st step: Isolation: Infected endpoints needed to be isolated as soon as possible. Rip out the power cable as soon you see the malware!
* 2nd step: Information gathering: what is this, how does it work, how can you manage it? Are national CERTs released? Check out the most efficient platforms for information sharing: these are usually Twitter and security blogs, besides informal communications between companies.
* 3rd step: Network segmentation: Filter out the infected protocol from the network traffic. It’s a hard risk assessment decision: should you prevent malware spreading OR keep the business processes alive?
* 4th step: Implement countermeasures: Use the IOCs, update IDS and firewall rules, AV systems, servers and as many clients and servers as possible, when anti-virus vendors spread their signatures for Petya ransomware.
* 5th step: Keep your fingers crossed: Keep an eye on what’s coming next. Maybe a next variant? Were all the systems patched? Should the company be afraid of making headlines? Did they misconfigure something in the rush?”
Chris Fearon, Based in Belfast, Director of Security Research at Black Duck Software:
“This is an example where the patch was ‘pushed’ to the users, but many users neglected to install the patch. Our reaction and advice is the same as during the WannaCry spree – patch, patch, patch.”
“In most cases patches are not pushed out to users when it comes to open source software, making to important to know what’s in the code you use and to monitor for open source vulnerabilities being disclosed and remediated.”
Ryan Wilk, Vice President, Customer Success at NuData Security:
“Last month’s WannaCry attack likely emboldened cybercriminals worldwide. Today’s Petrwrap is another example of how pervasive the malware problem has become. There is a definite need for a multi-layered approach, that includes employee education about unusual links, what phishing emails look like and the concern for social engineering. There is the organizational need to stay up to date with patches, routine backups and impermeable barriers to entry. Finally there is the design need to build systems from the ground up that protects users and data through multi-factor authentication that includes passive biometrics and behavioral analytics. Behavior-based authentication can vastly increase security of automated attacks and account takeovers. This rising trend must be countered with proactive measures to ensure ransomware and ransomware-as-a-service become ineffective.”
Paul Fletcher, Cybersecurity Evangelist at Alert Logic:
“At this point, all indications point to a successful distribution of an updated version of the Petya ransomware. It seems that the update to this ransomware is the use of SMB vulnerabilities to spread (similar to WannaCry via the NSA leak). The attackers are requesting 300 dollars in bitcoin and have collected over 4,000 dollars at this point.”
Rich Barger, Director of Security Research at Splunk:
- Monthly ransomware attacks on nation states and Fortune 500 enterprises has become the new normal.
- This strain of ransomware, Petya, can be considered the evil twin brother of WannaCry. The strain is very widespread- almost every eastern European country has been affected, with Petya moving quickly into Western Europe
- Russian banks are claiming that email phishing might be the initial infection vector – this has been unsupported so far. The situation is very fluid at the moment and many within the infosec industry are just beginning to scope the situation.
- Whether it’s Petya, WannaCry, or another strain, the repetitive nature of ransomware attacks demand that security analysts take a hard look at their security strategies.
- Ransomware at its heart is a data availability issue. If CISO’s are implementing continuity of operations, they will encapsulate the problem that Ransomware poses to their enterprise.
Matthias Maier, Security Evangelist at Splunk:
- This developing attack is affecting many organizations which provide critical infrastructure.
- The sophistication and consequences of ransomware attacks have reached a new level. The days are near where a cyber-attack can result in a total blackout and affect the lifeblood of society.
- Organizations affected by Petya need to react quickly and analyse the situation by looking deep into their infrastructure to check how they can stop the damage in their environment and bring their systems back. Then they need to examine what happened, how the threat got in and identify the weak point in order to fix it.
- The organisations who have a computer emergency and response team (CERT) in place and a platform where they can quickly investigate what happened will have an advantage and will soon be back online. For investigators, the hackers’ fingerprints and crucial evidence they are looking for will be found in the machine data of their digital infrastructure.”
Fraser Kyne, EMEA CTO at Bromium:
“It just goes to show that in security, lighting does strike in the same place twice, and businesses that don’t learn from the mistakes of others will pay the price. Even though most companies should have patched systems vulnerable to EternalBlue after WannaCry, hackers have wreaked havoc by tweaking an existing strain of malware and sending it back into the wild, bypassing most detection-based AntiVirus solutions. A recent run through VirusTotal shows that at the time of writing this, only 16 of 61 AV vendors picked up the ransomware.
“With new strains of malware appearing every second, organisations simply can’t rely on a detection-based approach anymore. Instead, companies should be looking to solutions that allow malware to execute in a completely isolated, secure environment, removing the risk from malicious documents and zero day exploits.”
Raj Samani, Head of Strategic Intelligence at McAfee LLC:
“McAfee has received multiple reports of modified variants of the Petya ransomware variants. McAfee Labs is analysing these samples and advising customers on how to address the threat in their environments.
“This outbreak does not appear to be as great as WannaCry but the number of impacted organisations is significant. It appears that its using the same propagation method as WannaCry, at least based on the data we have right now. Anybody running Operating Systems that have not been patched for the vulnerability WannaCry exploited could be vulnerable to this attack.”
Gavin Millard, Technical Director at Tenable Network Security:
“The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing ETERNALBLUE to spread to other systems before encrypting files and demanding payment. One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload.
If this attack turns out to be leveraging the same vulnerabilities WannaCry leveraged to spread, or other known bugs that have had patches available for months, there are going to be some awkward conversations between IT teams that failed to patch or protect and businesses affected. The publicity around WannaCry couldn’t have been larger, probably eclipsing Heartbleed, yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously.”
Edgard Capdevielle, CEO at Nozomi Networks:
“Whether you believe the Ukraine is a test-bed for nation state aggression or an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing.
“The most recent attack is reported to target IT systems and has not impacted the operational systems and industrial control systems (ICS) that control the power supply there, according to Ukrainian state power distributor, Ukrenergo. However, critical infrastructure providers around the globe should re-double their efforts to ensure proper separation of their IT and OT networks and be actively monitoring their ICS environments. This can be done by applying advanced anomaly detection systems so that they can detect and remediate any efforts to disruption operations of ICS within their critical infrastructure.
“If the reports prove true, and this attack was initiated by the External Blue Exploit, security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them. However, as within ICS environments rapid patching can be difficult or impossible, operators should employ real-time detection to take immediate steps to remediate the operational impact and ensure critical infrastructure stays up and running when this type of attack strikes.”
Alan Levine, Former CISO and Current Security Advisor at Wombat Security Technologies:
“April 1, 2016 is when the Petya ransomware was first reported, so this is not inherently a new type of ransomware attack.
What really distinguishes Petya is that it encrypts at the boot level, ensuring that any reboot of an asset will automatically deploy the payload. Unlike other variants of ransomware, Petya does not encrypt files, file structures, or folders. Instead — to keep this description simple — Petya encrypts the entire disk, as a boot-level instruction.
The previously reported vector for a Petya attack included a primary variant of a simple email: A job application that appeared to come from Dropbox and included a hoaxed Dropbox link. Once the user clicked on the link, a zipped file was delivered. On the surface, this file was purported to be either (a) a photo of a young man presented as a job applicant — the photo itself is public stock, or (b) an executable that presented an applicant resume in a self-extracting PDF (of course, it was not really a PDF at all).
The delivery mechanism is just the kind of simple but effective email we’ve seen so many times as a primary initial vector for most major cyber-attacks. The email seems timely, the content seems useful, and a user is thus likely to react poorly and click the Dropbox link. Victims don’t ask themselves very basic questions before clicking on the link, however: Do I know the sender? Was I expecting an email from Dropbox. Did I hover over the sender address to confirm it was from Dropbox? Am I in HR and responsible for receiving employment applications? Thus, is the content something I should expect to respond to in my job function? A rudimentary check by the recipient would have answered these questions predominantly NO, and then the attack would have failed.
The value of cyber awareness, as demonstrated by situations such as this, is that it teaches end users (including, and especially, email recipients) that basic vigilance and attention to detail are keystones of cyber defence – best practice for all of us in this dangerous cyber world.”
Dr Guy Bunker, SVP of Products at Clearswift:
“If larger organisations are shown to be prepared to pay significant sums of money to cyber-criminals then it sets precedent. It will only stoke the fire of ransomware and the attacks on business if the perpetrators think they will get away with it. In the non-cyber world, we saw this with the Somali pirates, where once ransoms started to be paid, there was a huge rise in vessels and crew being taken hostage.
Our advice is always the same for both individuals and organisations: once you’ve been compromised, do not pay the ransom. By paying, you’re opening yourself up to further attacks as the criminals will see that A) the organisation has the willingness to pay ransom and B) the cash reserves to do so. Furthermore, in more than 30% of cases, access to the information is not returned, i.e. you still don’t get your data back in an unencrypted form. All too often, the cyber-criminals take the money and then re-encrypt systems a short while later – as the malware will still be lurking in the background, unless it has been fully removed.
This is not the only issue, negotiations between the criminals and organisation can take up valuable time and resources – sometimes even weeks of back and forth with the hackers to come to an agreement on the amount to pay. Ransomwares’ biggest impact is downtime of the organisation, often with organisations requiring complete IT shut-down and the return to pen and paper while the issues are resolved.
The best defence against ransomware is firstly, to ensure all systems and applications are kept up to date with security patches being applied; secondly, ensuring that security systems are in place that strip hidden active content (the type likely to be ransomware) out of documents and emails coming into your organisation; and thirdly, to regularly backup critical information. Backups are key and can ensure that even if information is encrypted, you won’t be in a position where you have to pay – minimizing the harm to you and the reward to the criminal to zero.”
Jonathan Levine, CTO at Intermedia:
“While Petya isn’t a new threat, its rapid spread throughout Russia and the UK indicates the ransomware strain may have been modified to be able to take advantage of the same weakness in Windows that WannaCry did earlier this year. This is further proof that ransomware continues to evolve at dangerously fast speeds and needs to be recognised as a very real threat to organisations of all sizes and types, especially SMBs. Ransomware can infiltrate and shut down an entire business through one infected computer. And more often than not, SMBs are forced to pay a ransom they simply can’t afford. For immediate vigilance, Petya may be spreading via email, so it’s crucial for businesses to proceed with extra caution when opening attachments, as the strain has been seen with extensions .apx, .js, .rar, .pdf and .iso. We don’t want to repeat WannaCry, so having a security plan in place that detects viruses in email attachments is now more important than ever.”
Vyacheslav Zakorzhevsky, Head of Anti-Malware Team at Kaspersky Lab:
Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before.
The company’s telemetrics data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, Germany and several other countries. The attack vector is not yet known.
Kaspersky Lab detects the threat as UDS:DangeroundObject.Multi.Generic.
Kaspersky Lab experts aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.
We advise all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.
Phil Richards, CISO at Ivanti:
“New ransomware is attacking global computing systems worldwide as of June 26, 2017.
The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016. The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration (NSA), and leaked by the Shadow Brokers hacker group in April 2017.
This malware appears to have been targeted at Ukrainian infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers. Since the initial infection it has spread to other markets, and beyond the Ukraine boarders.
The actual malware is ransomware, requesting a ransom equivalent to $300 USD in bitcoins.
The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software.
This is a great example of two malware components coming together to generate more pernicious and resilient malware.”
Robert Lipovsky, Researcher at ESET:
“Today, early afternoon (CEST), ESET researchers have begun investigating another massive global ransomware epidemic following the WannaCry and XData/AES-NI outbreaks.
The ransomware appears to be a version of Petya. If it successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.
For spreading, it appears to be using a combination of the SMB exploit (EternalBlue) used by WannaCry for getting inside the network, as then spreading through PsExec for spreading within the network. This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched. It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.
The outbreak appears to have started in Ukraine – Patient Zero – more details to come
The outbreak appears to have started in Ukraine, where reports indicate that the financial sector, energy sector and numerous other industries have been hit. The scope of the damage caused to the energy sector is not yet confirmed, and there has been no reports of a power outage – as was the case previously with the infamous Industroyer malware.”
…We have published a blog on WeLiveSecurity.com where additional information about this attack can be found.”
Marco Cova, Senior Security Researcher at Lastline:
“The Petya attack looks very similar in its dynamics and techniques to the WannaCry ransomware that caused large disruption just a few weeks ago. In particular, like WannaCry, it seems to rely on the EternalBlue exploit to automatically spread from one machine to another. It’s still early in the infection lifecycle, but obviously, if it is confirmed that the EternalBlue is the only spreading mechanism, there will be inevitable questions about how organizations could still fall to this attack after all the publicity and support tools (patches, scanning tools, etc.) that were produced as part of the WannaCry response. This attack also shows that criminal groups are always ready to copy and improve on one another’s techniques once they see that something is effective. Finally, the initial reports indicate once again the attacks caused significant outage in the “real” world, with office and stores shutdown as a consequence of the infection: this points once more at the fragility of our current infrastructure that can be substantially affected by what appears to be a “traditional”, widespread and non-targeted attack.”
Andrea Carcano, Co-Founder and Chief Product Officer at Nozomi Networks:
“If rumors prove true that this attack was initiated by the External Blue Exploit, it is a well-known vulnerability using SMB v1. SMB is a protocols used often in the industrial networks. Therefore security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them. This is the same vulnerability used in by last month’s WannaCry Ransomware bombardment in which hundreds of thousands of computers in critical industries were effected. (insert hyperlink to our blog: http://blog.nozominetworks.com/index.php/2017/05/17/wannacry-a-wake-up-call-to-revisit-ics-cybersecurity-measures/). It demonstrates the urgency for patching, however within ICS environments rapid patching can be difficult or impossible, which means operators must turn to advanced ICS cybersecurity monitoring to analyze the traffic and identify anomalous SMB v1 traffic. Real-time detection enables operators to take immediate steps to remediate the operational impact and ensure critical infrastructure stays up and running.”
Michael Patterson, CEO at Plixer:
“Petya is another example that ransomware attacks are on the rise. Rightfully so, they strike fear in IT professionals. They are particularly nasty in their ability to disrupt business and destroy company data. Organizations must have strong data back-up systems and processes in place and they need to have network traffic analytics to monitor for anomalous behavior. As soon as these ransomware attack profiles are understood. Organizations can reduce risk of infection and spread of infection by monitoring for any traffic fitting the profile, as well as monitoring for any connections out to command and control servers.”
Allan Liska, Intelligence Architect at Recorded Future:
“As far as the EternalBlue exploit, the worm code appears to heavily borrow from WannaCry, including taking advantage of the same EternalBlue exploit code to move around once it is inside the network. In addition to the EternalBlue exploit, the new attack appears to take advantage of WMIC for lateral movement. WMIC (Windows Management Instrumentation Command-line) is a command line tool that is used to execute system management commands on Windows. Using WMIC requires a username and password, but because the payload includes an information stealer the attackers may be able to scrape usernames and passwords from the victim machine and use those credentials to jump from one box to the next, even boxes that are patched against the EternalBlue exploits.”
Graham Rymer, Research Associate at University of Cambridge:
“Unfortunately, these types of ransomware attacks are inevitable. Businesses and organisations should always have a plan in place in how to respond to these attacks quickly and efficiently to contain the situation. Firms need to take actions such as quickly switch all drives in the system to “read-only” following the attack, which essentially prevented the malware from doing real damage.
“Signature-based malware detection is only effective against known malware. The attacker will always win on the first roll of the dice. But once more information about the ransomware is known and has been shared with cyber security experts and companies, they should be able to build a patch which defends against this specific attack.”
Tristan Liverpool, Director of Systems Engineering (UK&I) at F5 Networks:
“This latest wave of what looks to be ransomware is just another example of the real-world threats encountered by organisations, governments and countries all over the world. These attacks are upping the ante, as they hit services that affect people’s day-to-day activity; such as healthcare, postal services, and transport services. While the reported ransom demands of $300 to release the encrypted data seems low, this will scale up very quickly. The more concerning issue is how national infrastructure is being impacted. There is no easy solution to eradicate ransomware, but when the dust settles, the source of the compromises needs to be determined and remediated.
“Going into the new world of IoT and connected devices, with every element focusing on the application, the digital attack surface area will continue to grow. This gives the attackers more opportunities to infiltrate data. More focus needs to be put on the application and data security. In addition, more cyber security education should be integral in everybody’s daily lives.”
Jean-Frederic Karcher, Head of Security at Maintel:
“This attack is further proof of the rise of ransomware. Ransomware has increased three-fold from 2015 at 1000 attacks a day to 4000 attacks a day in 2017, and shows no signs of slowing down. It will be one of the top three malicious software to watch out for in the coming year and with impact across sectors and society. The right security measures including threat detection must be put into place to ensure businesses, their employees, and customers are kept safe.
The proliferation of ransomware comes as a direct result of its high monetary return on investment. With more valuable information readily available on the web, hackers are using this as a means to steal, lock out users and then ransomware back access – all with the goal of a sizable pay packet at the end.
The main reason huge companies and are targeted is because they have vast amounts of data at their disposal. Hackers can sell large batches of this personal data for profit on the black market.”
John Safa, Former Hacker, Security Expert and Founder at Pushfor:
“Cyber attacks are not going away. We can’t rely on human behaviour to protect us against them. A single moment of human error can bring down a huge organisation – we saw this with the NHS. Cyber security comes down to one person, opening one email. The speed at which information travels from person to person now means that anything can – and does – spread virally. You can’t track where it’s gone, or where it’s likely to end up.
The problem comes down to people sending infected content via email. The only guaranteed solution, like a prophylactic, is to stop the infection being sent in the first place.
It’s time to re-think how content is shared. It’s possible (as with our patented technology) to share information without sending it. Keep information within central corporate security control, and it can’t spread. Any infected content can be quarantined and pulled, to stop it in its tracks.
Human error causes these massive security breaches. We need to stop relying on humans to fix the problem. It’s not working.”
Graeme Newman, Chief Innovation Officer at CFC Underwriting:
“We had an early warning shot last month as WannaCry spread like wildfire globally. However, in actual terms, it inflicted relatively little damage. Petya, however, seems to be different. This new breed of ransomware looks much more dangerous, already causing chaos for businesses around the world and early indications suggest that this could cost organisations ten times more than WannaCry. In terms of its global impact, we’re already seeing claims coming in from the US and are bracing ourselves for claims from other countries in the next few hours.”
“This is the tactic of choice for cyber criminals at the moment – in Q1 of 2016, ransomware accounted for 12.9% of our cyber insurance claims, but jumped massively to 20.5% of claims in Q1 of 2017. Fighting ransomware, however, becomes a much more complex battle to face considering that the cost of the ransom can actually be minimal compared to the cost of the ‘clean up’ operation. Claims for this type of attack can quickly spiral out of control when the costs of system damage and business interruption are tallied. It’s easy to see how this new wave of attacks could end up costing businesses millions.”
Terry Ray, Chief Product Strategist at Imperva:
“Surging in popularity, ransomware is now one of the most profitable types of malware attacks in history. Cybercriminals have discovered how financially rewarding—and easy to use—it can be, especially against larger targets with business-critical data stored on file shares. In the decade since its initial appearance, the ransomware extortionate has evolved from a collection of ad-hoc tools implementing an unripe idea and run by callow hackers, to a smooth and highly efficient ecosystem run by professionals and filling the hacker’s most desired void: the path from infection to financial gain.
In the past, ransomware did not appear on the threat list for organizations, mostly due to their backup systems and recovery procedures for data loss situations, which were designed with natural disasters in mind, but could be useful for ransomware as well. This situation has changed drastically with the recent explosion of ransomware attacks. Now it is hard to tell whether these infections occurred randomly (such as when an individual opens an infected personal e-mail), or if the attack has been carried out intentionally by someone deliberately looking to cause damage to a company. Another possibility is that a bad actor could enlist a user-friendly ransomware service that can be easily deployed with very little technical skill, known as ransomware-as-a-service. However, the good news is there are in fact a number of effective ways to defend against ransomware.
The history of cyber events has taught us that as good as perimeter and endpoint protection may be, security officers should assume that eventually the attackers will find their way in. Data breaches and ransomware attacks both have a common meeting point, which is the place where data resides.
A critical line of defense for both types of attacks is the security controls where this data is stored—databases, files and cloud applications— and in the applications through which it is accessed. Such security controls, which include monitoring access, specifically around data modification and detection of suspicious anomalies in access patterns, will facilitate early detection of ransomware attacks and immediate isolation of the suspicious endpoint to prevent the encryption or hostage of the files.”
Itsik Mantin, director of security research at Imperva:
“These increased attacks point to the need for solutions like artificial intelligence and machine learning. Often the output of today’s cyber security products is overwhelming amounts of data and alerts for the security team to sift through and act upon. These solutions are programmed to learn as much as they can about any given situation. Theoretically, a properly programmed piece of AI software could perform the same preventative and analytical security measures as a member of the IT staff in a fraction of the time.
Machine learning technology is already employed in the detection of malicious mail messages and malware, two of the main infection vectors of ransomware. However, it is a race in which the attacker is often one step ahead of IT. IT needs to win all the battles in order to win the war against the attackers who only need a single successful attempt at access to win.”
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies:
“It is true that some battle ships still use Windows versions that may look outdated. However, The Royal Navy recently adopted a specialised version of Microsoft Windows 2000 (“Windows for Warships”) for the fleet. There were also some reports saying that US Navy also use customized and updated versions of Windows XP.
The reason for this backwardness is quite common: when your OS has to deal with some unusual equipment (like ship sensors), special drivers for each type of unique hardware should be written. So, you cannot just update the Windows on such a system (as you would do on a common personal computer with common peripheral units); you have to re-write all the hardware drivers for the new OS. That’s why many ATMs and other industrial systems still run on outdated operation systems like Windows XP.
Since it’s called “specialised”, “customized” and “updated” version of Windows (2000 or XP), we may suppose it has more security fixes than common Windows XP (which is no longer updated). Another way to enforce security would be to cut all the possible connection between that OS and outside world: no USB flash drive, no Internet. From this point of view, a vulnerable Android smartphone can make more harm to the Navy than an isolated computer with specialized Windows.”
Ken Spinner, VP at Varonis:
This attack doesn’t just encrypt data for a ransom – but instead hijacks computers, and prevents them from working altogether. The implications of this type of cyberattack spread far and wide: and can affect everything from government to banks to transportation.
“The number one thing organizations should do to avoid being impacted is to apply the SMB patch that Microsoft released in conjunction with WannaCry.
According to VirusTotal, only 11 out of 51 endpoint AntiVirus software is able to detect this strain of ransomware, which underscores the need for non-signature-based defenses and a layered approach to data security.
Enterprise and government need to be vigilant about monitoring file activity and user behavior: Instead of trying to build a higher wall, a more practical approach is to spot the hackers when they’re inside by analyzing data access–similar to the way a credit card company monitors purchase behavior for fraud. It’s important to keep systems updated with the latest patches to address short term security fixes, but in the long run, organizations need to take a look at their security policies and make sure they’re adapting to today’s threat environment. That means locking down sensitive data, maintaining a least privilege model, and monitoring file and user behavior so that they know the moment they’re under attack.
Failure to take the appropriate steps to address modern malware has a global impact – affecting everything from government to business to transportation. These attacks have the potential to bring the world to a halt: we’ve got to be proactive in planning for attackers breaching the first line of defenses and update security practices to protect data from the inside, for when perimeter security fails.”
Mike Ahmadi, Global Director of Critical Systems Security at Synopsys:
“Scalable ransomware attacks are now a proven and viable business model where the risk is heavily skewed in favour of the attacker. This is has been predicted by security professionals for years and we are now witnessing it all unfold. Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs. Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated. As it stands today, it will likely take decades to dig ourselves out of the nearly bottomless pit of vulnerable code making up our infrastructure.”
Peter Carlisle, VP of EMEA at Thales e-Security:
“Once again another major ransomware attack is wreaking havoc on businesses and critical national infrastructure, reminding us all that complacency is not an option.
To tackle this threat it’s essential that the cyber security industry works closely with the government in a combined effort to protect organisations from these threats.
Moving forward, much more needs to be done to ensure that the international community is united in enforcing robust digital defences to ward off the threats of hackers disrupting the way we do business and our day-to-day lives.”
Lee Munson, Security Researcher at Comparitech.com:
“When businesses around the world woke up to the WannaCry ransomware recently, they must have thought their worst nightmares had come true.
That a kill switch was found, and the damage done relatively small, was extremely fortunate but it should have painted a powerful picture of what could happen should another ransomware attack come marching over the hill.
That Petya has caught major organisations unaware, including financial companies that are usually among the most secure types of business, is therefore a massive shock and a huge cause for concern.
Most businesses will have learned the value of maintaining regular backups and the implementation of technical security controls to create restore points and block ransomware at the point of entry.
Petya, however, highlights how staff awareness may still be an issue, giving an in to attacks of this kind, and perhaps highlights how patch management may still be lagging way behind where it needs to be.”
Dan Panesar, VP EMEA at Certes Networks:
“As with the recent WannaCry hack, the truly concerning element of the latest cyber-attack, which has taken down the IT systems of companies across the globe is its sheer scale.
“It highlights that for many businesses, once the outer defences have been compromised, hackers have free reign over a company network. The result is widespread chaos that has a huge impact on businesses and their customers.
“It points to the need for a real change in the cyber security mind-set. It is no longer enough to put up cyber barriers and hope they aren’t breached. The reality is that hackers can and will find a way round. Instead the security industry needs to focus on containment of threats once they find a way into the network. Using cryptographic segmentation, they can limit the impact and ensure that it does not affect their entire company. The technology exists to do this now, but it is up to businesses to embrace the innovation that can help protect their organisation against wide-spread cyber-attacks, before the damage is done.”
Chris Wysopal, Co-Founder at CTO at Veracode:
“The Petya ransomware seems to be spreading using EternalBlue exploit just like WannaCry. Because WannaCry kill switch worked the pain stopped and many orgs did not complete patching their Windows.
This seems to be hitting large industrial companies like Maersk shipping company and Rosneft oil company. These organizations typically have a challenge patching all of their machines because so many systems cannot have down time. Also Airports have this challenge.
On initial submission of Petya to VirusTotal only two vendors were able to detect so many systems are defenseless if they are unmatched and relying on AV.
Looks like WPP, advertising and branding company has been fully compromised. All systems, even website is down.”
Bryan Singer, Director Security Services at IOActive:
“It would seem we have arrived at the dawn of the age of the ICS (Industrial Control System) attack. For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era, it is now impossible to say “that can’t happen to us” any more – this will act as a real wake up call.”
Mark McArdle, CTO at eSentire:
“Finding irrefutable evidence that links an attacker to an attack is virtually unattainable, so everything boils down to assumptions and judgement. It’s never been more important to have visibility into the unusual activities going on in a company’s network and have the ability to investigate and respond. This is what research firm Gartner calls ‘Managed Detection and Response (MDR)’ – an effective way of keeping small breaches from turning into headline-making hacks.”