Watching news stories this morning on national media, it seems that the public feels somewhat helpless in how to defend themselves from the latest ransomware onslaught, Petya/NotPetya/Petwrap. “Shouldn’t the NSA be held responsible for protecting us from an exploit they invented?” asked an anchor person on a prominent morning news show. The expert on the discussion panel didn’t respond, instead of fueling the FUD machine, as national media is often want to do.

I speculated that this type of attack would happen when Wannacry hit last month. It’s rare that a security professional would expose the Windows SMB port to the Internet, Wannacry’s initial entry point into a network, but once malware is inside your network that exploit is available everywhere and an excellent choice for propagation. I thought that using Phishing as an initial entry point would be more effective for threat actors, and sure enough, that’s what Petya is doing: Phishing as an initial entry, then SMB to further propagate.

How do you defend yourself against Petya/Petwrap/NotPetya?

First and foremost, educate your users about phishing. Phishing training is available as a cloud service and is very effective – Threatsim, acquired by Wombat, comes to mind — but there are some tips that you can copy to your user base regarding things to look for in an email that should make them suspect it’s a Phishing attempt:

• Email mismatch is a big clue. If “Simple Name <local-part@domain-name>” doesn’t match, it’s not only fishy, it’s likely phishy.  An example would be “John Doe <[email protected]>”.
• Prompting to change credentials should raise suspicions. Your IT Team or bank is doubtful to request that you perform such an insecure practice.
• The presence of MS Office data files should raise suspicions, even if the email appears to be from someone you know. There are more secure ways to share information.
• A threat is issued unless the requested action (i.e. click-through) is performed. Examples are “or risk your account being locked out” or “charges will be automatically billed.”

If a user falls for the Phishing attempt, what then?  If you don’t have Endpoint Protection Products (EPP) in place, you should seriously consider it. Examples are Carbon Black, CrowdStrike, and Cylance. They can prevent malware from executing once present on a user machine or server.

You should consider using a Managed Security Service Provider (MSSP). Consider the value-add that CIPHER’s MSSP actions brought to the table immediately after the Petya/NotPetya/Petwrap attack hit the news:

• Inform clients as to the nature of the risk with reliable details about how Petya/NotPetya/Petwrap spreads, i.e. first through Phishing, then through SMB exploit, based on analysis from our research team
• Create rules for multiple SIEM products for AV, Firewall, AD Object Access, and EPP products
• Created IPS/IDS signatures to look for Indicators of Compromise
• Provide a list of malicious IP addresses specific to the threat and configure firewalls to block them
• Provide a hash for use with Endpoint Protection products to ban files involved in the infection and propagation
• Provide associated filenames and email addresses
• Create rules for multiple SIEM products for AV, Firewall, AD Object Access, and EPP products
• Checked IPS ruleset for JBoss rules that would apply
• Provided link to MS SMB Update that removes that vulnerability
• Provided a sandbox for the use of our clients to determine infection

If all else fails, consider that if you pay the ransom, you encourage subsequent attacks like this by monetizing the threat actor’s efforts. Hopefully, you have good backups that you can rely on – rebuild servers, re-image laptops, and roll the backups back onto the machines.

Contact us here, if you need to get through the Petya/Petwrap/NotPetya storm with consulting assistance.