Another Ransomware Cyber-attack

In a matter of hours, the new Petya ransomware spread its way across 65 countries. While WannaCry and Petya aren’t the first versions of ransomware, they are a new breed of ransomware, ones that use powerful exploits to enable rapid propagation within and to new organizations. As an IT managed services provider (MSP), it’s imperative we understand this ransomware outbreak and how it can affect our clients’ businesses. Don’t know what Petya is or how you can stay protected? Here it is, in a nut shell:

What is Petya?
Petya ransomware is part of a new wave of ransomware attacks that has hit computer servers all across Europe, particularly in the Ukraine and Russia. It is hijacking computer data, infecting and encrypting all the user’s files and displaying messages demanding a Bitcoin ransom worth $300. With most ransomware strains, victims who do not have recent backups of their files are faced with a decision to either pay the ransom or kiss their files goodbye.
This new strain has worked its way around the world at alarming speed. The ransomware spread using a vulnerability in Microsoft Windows that the software giant patched in March 2017—the same bug that was exploited by WannaCry. Microsoft released a patch for the Eternal Blue exploit, but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May, and may still be vulnerable. The first hit were government and financial institutions in the Ukraine, which metastasized to about 2,000 computer systems around the world. 

How to Protect Against Petya?
Luckily, there are various safeguards you can take to protect your computer systems from Petya.

Patch, Patch, Patch
I feel like a broken record on this because people have been saying it for years, but the best ways to protect against these attacks is to stay as up to date as possible with patches and educate all users. Petya, like Wannacry and so many other attacks, relies on outdated patches to infect systems and propagate into new systems. However, Petya went one step further by having the ability to propagate to fully patched systems once it got into your environment. This means that a single, low-value system missing a patch can serve as an entry point and allow the ransomware to infect fully patched, higher-value systems. In the end, patching is only as good as your weakest link—meaning companies need to be more vigilant than ever when patching their systems. By patching we mean, having all your Operating Systems, Office Productivity and Security software current, with the latest versions and latest updates.

Realize the Difference Between Owning Security Tools and Using Them
The reality of both Petya and Wannacry is that even if you weren’t patching, basic security tools that most organizations own—such as antivirus and other endpoint protection tools—would prevent any damage from these attacks. But how did so many organizations get impacted? The answer is simple: they, like many organizations, lacked adequate management of their security tools.
Investing in security tools is a great step towards securing yourself, but realize that installing these tools without any ongoing management is like owning a car you never fill up with gas. It might look good in your driveway but it isn’t able to do what it was designed to do.

Understand the Limitations of Basic Protection Tools
These attacks are a scary reminder of the changing threat landscape—one that is especially impacting small- and medium-sized businesses (SMBs). SMBs used to be able to safely assume that the advanced attacks would be focused on large corporations and governments because there wasn’t enough to gain using these mechanisms against them. However, with these recent attacks they need to realize how that reality has shifted.
These attacks focus on a volume based mentality. For example, getting small amounts from lots of people, versus large amounts from a single company. They use very powerful exploits, created by government intelligence agencies, to allow them to have broad-based, unfocused attacks that are just as likely to cripple a Mom and Pop Shop as a multinational bank.
Your need to realize that while antivirus and firewalls are incredibly effective in reducing risk, you need to begin to think about increasing the security solutions they have in place. Given this new landscape, SMBs will turn to us to put technologies in place to detect and respond to threats and breaches when they do penetrate their defenses but before they have a chance to do harm. Additionally, you must implement a proper, reliable backup and disaster recovery (BDR) solution with online and offline backup solutions as the ultimate failsafe against successful attacks.

Bottom Line
This Petya ransomware outbreak is yet another reminder that the threat landscape is ever evolving and growing more sophisticated. While there are many unknowns, there are some basic steps we are taking to reduce the risk of cyber-attacks and provide our clients with secure IT services.
Here at EV-Consultech, we continue to work with our security vendors and the overall industry to protect our own environment as well as the environments we manage. We’re happy to say that our tools and processes ensure that none of our systems or client’s systems were impacted by WannaCry or Petya. Moreover, we will continue to be vigilant in our efforts to keep our clients and their end-users protected against the next possible threat.

Click here to download the Business Continuity Presentation

Global Ransomware Attack

On Friday, a worldwide “ransomware” attack, called “WannaCry,” was deployed by a party presently unknown. Ransomware is a kind of malicious software that, as its name implies, takes a computer hostage and holds it for ransom. The malware enters a computer system through an email attachment or someone visiting a website. From there, it can spread to other computers on that same network. Hackers typically demand about $300 in payment via bitcoin, an untraceable digital currency. If that ransom isn't paid in 72 hours, the price could double. After a few days, the files are permanently locked. Hackers could stand to make more than $1 billion if the ransoms are all paid. This attack further reinforces the inherent risks of our overreliance on computerized systems and the challenges we face in securing those systems.

As of Sunday more than 200,000 devices in at least 150 countries have been affected, making this the largest cyberextortion scheme ever. So far, the main targets of the attack have been outside the United States but neither the federal government nor American corporations assume this will continue to be the case. The hackers have generally targeted hospitals, academic institutions, blue-chip companies and businesses like movie theater chains. 

The speed and reach of WannaCry, as well as its ability to evolve, are yet more examples of the new age of cyberterrorism we live in. The first wave of attacks was stanched when an anonymous 22-year old British expert inadvertently found a kill switch that allowed slowing the spread of WannaCry. Variations of the malware have already been seen in the wild, but they have lacked the capacity to spread themselves, which has vastly limited their spread. But WannaCry could continue to expand its range indefinitely because it exploits a vulnerability that has persisted unprotected on many systems. This attack did not target Windows 10 systems but is present in all versions of Windows prior to that, dating back to Windows XP.

Going forward, more resources will be allocated to data backups and more attention will be given to updating to the latest security patches. The gradual move to cloud-based storage platforms should improve recoverability from ransomware attacks.

Phishing attacks with malicious attachments are the main way the malware ends up on corporate networks, meaning that users should be wary of opening such attachments if they seem unusual. 

How do you spot a fishy email?

1. Look carefully at the email address of the sender to see if it is coming from a legitimate address.

2. Look for obvious typos and grammatical errors in the body.

3. Hover over hyperlinks (without clicking on them) inside emails to see whether they direct you to suspicious web pages.

4. If an email appears to have come from your bank, credit card company or internet service provider, keep in mind that they will never ask for sensitive information like your password or social security number.

5. Ransomware developers often use pop-up windows that advertise software products that remove malware. Do not click on anything through these pop-ups, then safely close the windows.

6. Phishing attempts may try to trick you with scare tactics or immediate action so validate the source before you take any action.

7. Do not open attachments that you are not expecting.

8. Pay close attention to the sender because it may appear to be someone you know but with a slightly altered e-mail address which may be overlooked.

9. If you do not recognize the other people in the “to” line or are being cc’d on a strange email that should be a red flag.

If already infected—

1. Disconnect your computer from the internet so it does not infect other machines.

2. Report the crime to law enforcement and seek help from a tech professional to find out what your options for data recovery might be.