 |
| Source: WhatsApp. Image warning employees not to switch on Windows computers. |
- SingCERT advises all users and companies with affected systems listed above to ensure that their Windows-based systems are fully patched.
- Users should ensure that their anti-irus software is updated with the latest malware definitions.
- Users should perform file backups and store them offline in case they need to restore their systems following an attack.
Acronis has shared that businesses in Australia reportedly affected by Petya include the Tasmanian Cadbury chocolate factory, global law firm DLA Piper, and the Jawaharlal Nehru Port Trust. The company also said that the new Acronis Active Protection has been tested against the Petya ransomware, and can effectively block Petya attacks.
"The Petya variant of ransomware also gives rise to a new—if not unsavoury—business model: ransomware-as-a-service (RaaS). While there is still some debate as to whether it is a variant of Petya, GoldenEye, or a new version of WannaCry, we can be sure that it was definitely not from the original author of the Petya variant of ransomware. This means that hackers actually purchased the source code and used the models to create the attack," Acronis noted in a statement.
"At Symantec, we see that cyber attackers are compromising businesses and individuals in Asia with continued success. While the threat may have started in Eastern Europe, it has quickly spread across the world within a short time," said Nick Savvides, Security Advocate, Symantec Asia Pacific and Japan.
"Manufacturing organisations, which are highly concentrated in Asia, are particularly at risk as most do not apply updates and patches to their industrial computers as swiftly as corporate entities. This makes them especially vulnerable to rapid infections and complete shutdowns."
 |
| Source: WhatsApp. Text message on a virus attack. |
"This is another high-speed attack that has caught many organisations
around the globe off-guard. The recent WannaCry attack was an enormous
wakeup call regarding ransomware and many digital defences were updated
to stop that attack. Yet days later, an only slightly different attack
has slipped past defences to wreak havoc.
"We must retire the idea that traditional defences focused on yesterday’s known attacks offer anything but rudimentary protection. The latest advances in artificial intelligence (AI) mean that smart technology can now detect and fight back against any in-progress attacks within a company network, buying the security teams time to respond. This class of technology truly delivers on the promise of AI in cyber defence and is the only realistic way that security teams will scale to the increased speed and diversity of future attacks,” commented Sanjay Aurora, MD, Asia Pacific, Darktrace.
Savvides notes that Petya is similar to WannaCry in that it is also a ransomware attack that locks up files and uses the ETERNALBLUE (MS17-010) Windows vulnerability as an infection vector to spread inside networks.
"We must retire the idea that traditional defences focused on yesterday’s known attacks offer anything but rudimentary protection. The latest advances in artificial intelligence (AI) mean that smart technology can now detect and fight back against any in-progress attacks within a company network, buying the security teams time to respond. This class of technology truly delivers on the promise of AI in cyber defence and is the only realistic way that security teams will scale to the increased speed and diversity of future attacks,” commented Sanjay Aurora, MD, Asia Pacific, Darktrace.
Savvides notes that Petya is similar to WannaCry in that it is also a ransomware attack that locks up files and uses the ETERNALBLUE (MS17-010) Windows vulnerability as an infection vector to spread inside networks.
Petya is worse, Savvides notes, because it does not just lock up files, but the entire computer instead. Petya also includes other infection methods. Besides using emails, it can also spread inside networks without having to manually install software to do so.
"This is part of a new wave of multivector ransomware attacks that we are calling 'ransomworm', which takes advantage of timely exploits. The ransomworm is designed to move across multiple systems automatically, rather than stay in one place. It appears that the Petya ransomworm is using similar current vulnerabilities that were exploited during the recent WannaCry attack," said Fortinet in a statement.
"Older legacy systems and critical infrastructure are particularly vulnerable to this attack. The patch for this vulnerability was issued by Microsoft earlier this year. We advise organisations to update their systems immediately."
"This new variant is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected," Sophos agreed.
Symantec's advice in the situation include keeping software up-to-date, not clicking on Microsoft Office email attachments, being suspicious if the attachment requests macros to be enabled to view its content, as well as backing up important data.
Sophos suggests blocking the Microsoft PsExec tool from running on users’ computers using a product such as Sophos Endpoint Protection. "A version of this tool is used as part of another technique used by the Petya variant to spread automatically," the company explained.
Sophos also advised keeping a recent backup copy off-site to guard against damage to files not just from ransomware but also natural disasters, theft, or even a dropped laptop.
Fortinet is in agreement about keeping backups offline, and said IT departments should also have a ‘gold standard’ operating system disk and configuration. The software would allow IT departments to reconstruct their desktops with confidence, the company said. Sharing information about the of infiltration with trusted organisations such as the local police, can assist with overall community efforts to diagnose, contain, and remedy attacks, Fortinet added.
Fortinet says security operations should also:
· Use sandboxing on attachments.
· Use behaviour-based detections.
· At firewalls, look for evidence of Command & Control.
· Segment, to limit the spread of the malware and backup data being encrypted.
· Ensure that Remote Desktop Protocol is turned off, and/or is properly authenticated, and otherwise limit its ability to move laterally.
Last but not least, Savvides advises victims not to pay the ransom, as does Fortinet. "People assume they’ll automatically get their files back if they pay the ransom. You likely will get you files back if you pay. But you may not. Since the attackers already know you’ll pay the ransom, they could target you for future attacks," Savvides explained.
Acronis confirms that paying the ransom is a bad idea. "While the potential payouts from ransomed victims can amount in the millions, the actual ransomware is incredulously cheap, between US$50 to US$150, depending on per usage or the actual ransomware source code. The authors then offer their ransomware on the dark net, and offer a generous portion of the paid ransom amount to potential distributors, while the author pockets the rest," the company said.
Sophos suggests blocking the Microsoft PsExec tool from running on users’ computers using a product such as Sophos Endpoint Protection. "A version of this tool is used as part of another technique used by the Petya variant to spread automatically," the company explained.
Sophos also advised keeping a recent backup copy off-site to guard against damage to files not just from ransomware but also natural disasters, theft, or even a dropped laptop.
Fortinet is in agreement about keeping backups offline, and said IT departments should also have a ‘gold standard’ operating system disk and configuration. The software would allow IT departments to reconstruct their desktops with confidence, the company said. Sharing information about the of infiltration with trusted organisations such as the local police, can assist with overall community efforts to diagnose, contain, and remedy attacks, Fortinet added.
Fortinet says security operations should also:
· Use sandboxing on attachments.
· Use behaviour-based detections.
· At firewalls, look for evidence of Command & Control.
· Segment, to limit the spread of the malware and backup data being encrypted.
· Ensure that Remote Desktop Protocol is turned off, and/or is properly authenticated, and otherwise limit its ability to move laterally.
Last but not least, Savvides advises victims not to pay the ransom, as does Fortinet. "People assume they’ll automatically get their files back if they pay the ransom. You likely will get you files back if you pay. But you may not. Since the attackers already know you’ll pay the ransom, they could target you for future attacks," Savvides explained.
Acronis confirms that paying the ransom is a bad idea. "While the potential payouts from ransomed victims can amount in the millions, the actual ransomware is incredulously cheap, between US$50 to US$150, depending on per usage or the actual ransomware source code. The authors then offer their ransomware on the dark net, and offer a generous portion of the paid ransom amount to potential distributors, while the author pockets the rest," the company said.
Interested?
SingCERT lists the following Microsoft operating systems as likely to be vulnerable:
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7
- Windows XP
- Windows Vista
- Windows Server 2016
- Windows Server 2012 and Windows Server 2012 R2
- Windows Server 2008 and Windows Server 2008 R2
- Windows Server 2003
 |
| Source: Acronis. Detection of a ransomware attack on a Windows 10 computer, at the point of attack, in real time. |
Acronis Active Protection utilises heuristics detection to identify the processes and procedures that ransomware and malware use during an attack. The Acronis technology is available with Acronis True image 2017 New Generation for consumers, as well as Acronis Backup 12.5 for businesses.
Sophos offers a free trial of Sophos Intercept X and, for home users, the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorised encryption of files and sectors on hard disks.
No comments:
Post a Comment