Answers About The Most Recent Worldwide Ransomware Attack

CERT-LatestNews Malware Security News ThreatsCybercrime ThreatsStrategic Uncategorized VulnerabilitiesAll VulnerabilitiesApplications VulnerabilitiesCrypto VulnerabilitiesMicrosoft VulnerabilitiesNetwork VulnerabilitiesOS

Fox Rothschild LLP

Yesterday’s worldwide cyberattack once again exploited a vulnerability that has been known to experts for many months. These attacks are sure to continue and the best defense is knowledge. Awareness of how malware works and employee training to avoid the human error that may trigger an infection can prevent your organization from becoming a victim. 

This latest ransomware variant, referred to as “Petya,” is similar in many respects to the “WannaCry” ransomware that affected hundreds of thousands of computers in mid-May, using the same Eternal Blue exploit to infect computers. The purpose of this Alert is to provide you some information believed or known at this time.

How Is a Computer Infected?

Experts believe the Petya malware is delivered in a Word document attached to an email. Once initiated by opening the Microsoft Word document, an unprotected computer becomes infected and the entire hard drive on that computer is encrypted by the program. This is notably different from WannaCry, which encrypted only files.

Once Petya is initiated, it begins seeking other unprotected computers in the same network to infect. It is not necessary to open the infected Microsoft Word document on each computer. An infection can occur by the malware spreading through a network environment.

Which Computers Are Unprotected?

We learned with the WannaCry ransomware that there is a vulnerability with some versions of Microsoft Windows. Despite the availability of a patch from Microsoft a few months before WannaCry happened, many organizations and users ignored, skipped, or had not fully tested and deployed that patch. Computers that were patched were safe from the malware.

Despite the unprecedented exposure and panic caused by WannaCry, not all organizations and users updated their computers. Surely, some organizations are still testing the patch before deploying, and no doubt some computers or servers simply cannot be patched because software essential to the business is outdated and would not run after the update. Whatever the reason, if the update did not occur, those computers and servers remain susceptible to future attacks using the same exploit as WannaCry.

Petya affected only those computers that continued to remain unpatched following WannaCry. Using the same Eternal Blue exploit, Petya took advantage of the vulnerability that remained on those unpatched computers.

What Happens if a Computer Is Infected?

The hard drive on a computer infected with Petya will become fully encrypted. An infected computer will not be usable in this state. A message will pop up on the computer informing you of the encryption and instructions on how to have the hard drive decrypted, similar to the following:

What Should I Do if a Computer Is Encrypted?

You should seek professional help. If the computer is one for which you have a back-up or can lose the data, you may be able to replace the computer or the hard drive. You should contact an IT consultant to ensure you are not restoring from a back-up that has the malware embedded.

If you are on a network environment, you should immediately contact an IT consultant for advice on possibly taking the network offline and ensuring no other computers are infected. You should not assume that the infection stopped with one computer if that computer was in a networked environment.

In addition to bringing in your IT professionals that are familiar with this type of attack (which may not be your day-to-day professionals), you should contact your insurance broker to determine if you have any applicable coverage and to put your insurance carrier on notice. You should also contact your data breach legal counsel to determine if there are any reporting requirements or other legal obligations as a result of the attack.

Recent reports indicate that paying the ransom may be pointless because the host for the email address necessary to report the payment has been disabled by the ISP. It is possible this may change as pressure from victims now with little or no hope of decryption intensifies.

What Should I Do To Minimize the Risks of Future Attacks

If your computers and servers are not fully patched, that should be your priority. Patches and updates should be rolled out regularly, especially those that are security related.

If not already in place, you should consider a best-in-class service that will scan emails for threats, an URL-checking service that will ensure all known “black listed” URLs clicked in emails are not successful, and run a state-of-the-art anti-virus solution (which may not be the off-the-shelf solution you have now).

Finally, and just as important as any of the above, you have to train your employees about these risks, what they look like, how they occur, how they can be avoided, and the damage that an attack can have on an organization. Stated differently, your organization can do amazing things with computer and network security, but if your employees are not well trained it can all be for naught.

[View source.]