How to use Identity Troubleshooter for diagnosing the problems?
Your ticket time resolution is taking too long, new issues are coming, but you are tied by a pile of incidents that ar...
The world of IT has changed on 27th of June 2017. The outbreak of Petya has defined a new era of malware which threatens the security of organizations’ IT systems. But are we completely helpless against it? Not necessarily so. Read on to find out everything you need to know about Petya and how you can secure your data against a wiper malware attack.
By now most of you are aware that on 27th of June, we have entered a new era of security in information systems. The new type of malware has hit networks and started to infect computer systems within Ukraine and then spreading fast across the world.
Petya, a new variant of the previously known ransomware, has attacked small and large organizations, hitting some very big companies like Maersk, Cadbury, Merck, Deutsche Post and many others.
Their users woke up to see a notice demanding ransom on their screens. We know now that it was a fake request from the start!
It has spread too fast for IT departments to stop it. Damaged are servers, and most of the organizations hit by it are right now in a damage control mode.
This malware, Petya or NonPetya as it is called by now, IS HERE TO STAY. It will be EXTREMELY hard to eradicate it. And others will follow.
Before we will go into details on how you can protect your company in the future, here are the MOST IMPORTANT facts and answers.
Here are few fast facts and answers you need to get to assess the situation fully:
Q: Is this malware attacking only un-patched and old systems?
A: NO, even the most recent and patched systems are vulnerable!
Why? This malware is not using only holes in the system as previous WannaCry worm and which was an initial assessment. It is very sophisticated and written by PROs.
It uses many various technics to infect and spread across the network, and thus even fully patched machines can be infected.
PATCHING is IMPORTANT – it limits the attack vector. DO IT! No excuses.
Q: I was HIT! My machine is not working! Should I pay the ransom and get it back?
A: NO, this isn’t true ransomware and paying it will not help to get your data back.
NonPetya is not true ransomware. It is a wiper – malware built to destroy data. It is just faking being ransomware. Even if you pay it, there is no way to retrieve your data as encryption keys are discarded by malware after the operation is done. Code which is displayed to you for your payment is just some random data.
Q: I get it, no ransom! Is there any way I can recover the data other than ransomware?
A: NO, your data is lost.
We don’t like to deliver the bad message, but this is true – your data is lost. This was the attack to destroy the data. Focus on damage control and recovery.
Q: We are being attacked. What can we do?!
A: Act fast! Shut down everything and contain damage, then recover!
You are being hit! STOP READING THIS RIGHT NOW, shut down your machines and contain damages. Then do the control and star recovery. You can read our article later.
If you are good by now and this malware does not hit you, IT DOESN’T MEAN you are SAFE! The outbreak continues, and it will stay with us for a long time.
What you can do to prevent infection:
Note on attachments: this is long term strategy game, but try to remove e-mail attachments from your business flow. If people get used to sending links to your drives in the cloud or locally, they will become more aware that attachment is something dangerous and uncommon.
Some organizations are blocking all attachments at the moment to prevent infection. Radical move but it might be a sound strategy! Consider it!
Some less obvious advice to prevent Petya and similar malware:
BEFORE YOU JUMP to execute them, first spend time on doing things like:
PATCHING, UPDATING your AV and making sure you have right BACKUP for all your important data!
What else can be done to limit the spreading, preventing damages or protecting my systems? There are plenty of ways and methods, to point out a few that you can use if you use on-line services (the ones we know to be able to give you sound advice):
Here are few thoughts about it from our CTO, Tomasz Onyszko, who took his time to sum it up for you.
With this infection, we have entered a new area of malware outbreaks. Lots of clues indicate that this worm was well prepared to destroy data from the beginning, with target indicated by its entry vector on a specific country.
Its most likely initial entry vector was updated to software distributed by the external company. This adds a new element to the never ending security landscape – you need to manage and secure your entire supply chain with all vendors and software used by your organization.
It is very sophisticated and uses multiple technics to spread. Patching alone is not enough. You need to secure your network not only to prevent infection but also to not allow it to harvest your credentials over a network. We should have done it a long time ago, but here we have it exploited at scale. There is no way around it anymore.
Last, but most important – your organization needs to be prepared to recover its operations from the state of total disaster. It is not a single machine infected. It is not a single server lost.
There is a movie 28 days later. It shows the world after virus outbreak where only a few people survived. This is its digital equivalent. All is lost, and you need to recover.
Is anything destroyed providing real-world damages or life threat?
What is the minimal service level you need to restore to keep your business running?
What should be up and running a day after?
How will you get there?
We need to answer all these questions in the post-Petya world.
In my almost 20 years of professional career, I think I’ve met only 5% of organizations who had forest recovery plan for their Active Directory ready. Now is the day, when some of them need to use it.
Do you have yours ready?
Finally, it is time for some technical details on how it works and spreads. Our consultant Artur Brodziński took his time and prepared this summary for you based on the available technical information. Read it thoroughly to get additional details and understand it better.
How does it spread across the network?
Petya is a worm, which means that in the first step it builds a list of computers which should be affected and later worm is propagated to each machine. It infects all kinds of devices and also fully patched ones, because it uses network credentials to do so.
It was observed that Petya infected and took down up to 5000 computers within few minutes, so it is really hard to stop it once it enters your network.
A full list of computers is prepared by the worm with following sources:
Petya also builds a list of users and passwords which are stored in memory. To gather this information, the following methods are used:
Once both lists are built, it uses two methods to spread on the network
Petya uses 3 steps to infect a computer:
This ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for C:Windows:
IMPORTANT! ENCRYPTION happens before reboot so at the moment you see your computer is being rebooted your data is already gone.
Ransomware probably will become so common that we will stop noticing it in a while.
This one is not ransomware but a malware with a target to destroy the data. It bundled exploit and hacked technics to spread so fast and so wide.
It has caught a lot of companies unprepared. Investments in external protections were made but it is always the weakest point which needs to be broken. And in this case, there were internal protection and good security practices.
Be sure it will happen again with a new variant or worm and this one will be around for a long time.
Better get prepared now. Talk to our experts.
Read other similar articles