Call our IT experts today on 01254 firstname.lastname@example.org
Lancs BB1 4LA
Ukraine’s power distributor, one of the world’s largest snack companies, and even Chernobyl’s radiation monitoring systems were among the hundreds of businesses and organizations around the globe reporting that they’d been infected by ransomware from the Petya family on Tuesday.
Though the initial attack vector has not yet been identified, F-Secure analysis finds this strain of Petya uses the EternalBlue exploit that first Microsoft patched in March, which gained prominence in May of 2017 thanks to WannaCry, the largest ransomware outbreak ever. These exploits, identified by the National Security Agency, did not become public until the hacking group the Shadowbrokers released them publicly early this year.
F-Secure Labs has been warning about the dangers of leaked government surveillance tools being weaponized by criminals for years. These warnings have now become a reality that businesses will have to contend with for years to come.
WannaCry proved a viable business model for criminals. Ransomware that spreads like a worm through a network could hold much of an organization’s data hostage, demanding cash delivered in the form of Bitcoin in return for relief. But WannaCry’s damage was quickly minimised due to sloppy coding that allowed for a kill switch to be activated by malware researcher who was actually on vacation at the time.
Now Petya appears to be a much more professional attempt to employ similar methods.
“This is what WannaCry looks like in the big leagues,” said Sean Sullivan, F-Secure Security Advisor. “Amateurs infected a lot of people last time. This time these guys want to cash in.”
Unlike other ransomware, Petya has an “evil twist” – it encrypts portions of the hard drive making Windows inaccessible. Though the family has been around more than a year, no version of it has used network exploits before.
As of Tuesday afternoon, more than $6,000 had already been collected in the Bitcoin wallet into which Petya demands payment, according to this Twitter account tracking payments.
Our endpoint products prevent all examples of the threat. F-Secure vulnerability management product flags the used vulnerabilities within the system for remediation. Finally, F-Secure managed incident response service detects the attack and enables immediate response to the threat.
F-Secure endpoint products offer protection against the Petya ransomware on several layers to ensure that the attack can be stopped in multiple points during the attack chain.
F-Secure’s vulnerability manager, F-Secure Radar, flags the missing Microsoft security patch and the vulnerable 445 port for immediate action for IT administrators, giving them ample time to fix the vulnerabilities before the outbreak.
F-Secure’s managed incident response service, F-Secure Rapid Detection Service, detects a large number of the TTP techniques used by Petya, such as abusing rundll-32 and other Microsoft components, allowing our customers to take immediate remediative actions in the case the infection is detected.
F-Secure endpoint products block the Petya attacks with its default settings. However, it is good to check that all security functions are enabled. Also, you should take steps to mitigate the exploited vulnerability and prevent the attack from spreading in your environment.
For more information, or advice please contact us on 01254 877009 today!