Petya: Recommendations for defense and remediation.
By The CyberWire Staff
Jun 29, 2017

Petya: Recommendations for defense and remediation.

What can enterprises do, now, to protect themselves against Petya and the other, similar attacks soon to follow? This won't be a one-time thing: WannaCry wasn't, and it's reasonable to expect fresh ransomware campaigns to keep coming, hard and fast. The attackers get a good return on investment from repurposing tools and exploits. There's no reason to expect them to stop.

For your coverage of Petya, Ray Rothrock, CEO of RedSeal, said in an email, “It’s happening again. This time in a slightly different form and name, but it’s the same. A new strain of Petya malware is going after unpatched Windows systems via EternalBlue, the same stolen NSA tool exploited by WannaCry." 

Good cyber hygiene begins with knowing your own network.

Rothrock points out, correctly, that many security companies are offering sound advice on how an enterprise ought to respond. But he thinks self-knowledge is the beginning of wisdom—you need to determine what's actually on your network. Then, he recommends that companies take three steps toward security: "First, they must patch their Windows system. Microsoft has published MS17-010 directly to address this. Second, block TCP port 445 on all firewalls and routing equipment. This will slow Petya down." He notes that step two in itself isn't a fully satisfactory blocking solution. "A firewall blocked port does not stop someone with the malware on their laptop coming inside the network and inadvertently spreading it – essentially bypassing the firewall solution. In fact, a real problem for any network operations group is knowing where all the assets are, especially ones that contains this vulnerability." So scan your network, and make sure you've accounted for all your assets and the identities they bring with them.

His third recommendation—he calls it a "must-do," is for the long-term. "Backup so that you can wipe and restore a computer should it be compromised. If a computer is hit with Petya, the immediate solution is to wipe it and restore from a known good backup. Just like the scan gaps, knowing where everything is and its state, is essential for complete responsiveness to an attack such as Petya or others like it. Policies backed up with resources, plans, and knowledge, make for a better security posture and responsiveness. And that starts in the C-suite.”

Patching: good practice, but not necessarily easy.

Andrea Carcano, Co-Founder and Chief Product Officer of Nozomi Networks says that EternalBlue is now a well-known vulnerability using SMB version 1. Carcano's concern is for industrial control systems, which often use that protocol. "Therefore security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them. This is the same vulnerability used in by last month’s WannaCry Ransomware bombardment in which hundreds of thousands of computers in critical industries were affected." Nozomi has advice from the WannaCry infestation that Carcano still commends to your attention.

Carcano agrees with those who think Petya and WannaCry show the importance and urgency of patching. But unlike some who regard failure to patch as too obvious for words, Carcano is very much alive to the reality that industrial control systems aren't as easy to patch as ordinary IT systems. "Within ICS environments rapid patching can be difficult or impossible, which means operators must turn to advanced ICS cybersecurity monitoring to analyze the traffic and identify anomalous SMB v1 traffic. Real-time detection enables operators to take immediate steps to remediate the operational impact and ensure critical infrastructure stays up and running.”

Privilege management: another essential.

Morey Haber, vice president of technology at BeyondTrust, has a set of recommendations that begin with sound hygiene. "As with other cyber attacks of this nature, this highlights the importance of getting the basics of cybersecurity right starting with patching vulnerabilities with known exploits first and ensuring your teams understand the importance of not opening attachments that were not expected."

He notes that they've found that "initial exploitation does require administrator rights to infect the system and drop the initial malware associated with Petya. If you are running a least privilege solution, have removed end user administrator rights, or are only trusting digitally signed applications, initial reports indicate UAC [User Account Control] will prompt before executing the malware."

This, he says, should block the initial infection. "However, once the first machine is compromised," he adds, "administrator rights are not needed to propagate the worm due to the severity of the vulnerability and methods used for exploitation. It is still unknown whether newer systems with SecureBoot are immune to this ransomware at initial inception, or if the exploitation has been improved to target Windows 10 machines as well."

He recommends these steps: "Remove administrator rights from end-users, implement application control for only trusted applications, perform vulnerability assessment, and install security patches promptly."

Blocking and tackling to stop Petya's spread.

Kris Lamb, vice president and general manager of Forcepoint’s Cloud Security business, offered these initial notes and warnings about Petya. "We have identified the ransomware as being able to spread laterally within an organization via a vulnerability in the SMBv1 protocol. The attacks are linked through the use of a common bitcoin wallet." He says that, while researchers are still learning about this new Petya variant, he thinks everyone should refamiliarize themselves with the advice they received during the WannaCry incident. "Ensure that the MS17-010 security update is installed on all Windows machines within the organization. Ensure that you have email and web security solutions that can block malicious emails, block intermediate payload download stages in real-time, and can provide URL Sandboxing features for additional protection at point-of-click. In line with Microsoft's guidance from 2016, customers should consider disabling SMBv1 and other legacy protocols on all Windows systems where this will not negatively impact the function of legacy systems within the environment." 

Forcepoint will be updating their Petya blog as the story unfolds, and they've collected information about EternalBlue and WannaCry in their respective entries as well.

Thomas McCarthy, Director of the Cyber Threat Analysis Team at Nuix, thinks the apparent novelty of the Petya outbreak is due to inattention and failure to recognize that a ransomware attack isn't just a one-off. "It's just another ransomware that isn't doing anything particularly different than other types except it's using a vulnerability that is more widespread," he said. It's a big deal only because it's hitting organizations hard who haven't mitigated or compensated for a known vulnerability in their Windows environment. He says they'll be hit hard again the next time a known exploit is turned against them if they don't apply proper attention and sufficient resources to the problem.

And again, a big problem is failure to implement regular backup and sound policies. "The panic [in] a lot of the companies getting hit by this mostly stems from not properly backing up and testing backups, [from] prolific user permissions to their own workstation (including shares, local administrator, other systems on the network), and poor network segregation," McCarthy said. "A lot of organizations think they just need good anti-virus software to solve issues like this for whatever reason. That isn't enough. This one looks like it was patched in March: there really isn't much of a good reason why some of these organizations are not fully updating Windows systems in a timely fashion when critical patches come out." So patch, everyone. 

Gordon Mackay, EVP, Chief Technology Officer at Digital Defense, also sees poor patching practices at the root of the problem. He said in an email, “Microsoft released a patch for the MS17-010 issue back in March 14th 2017. Organizations who have not patched for the MS17-010 SMB vulnerability are vulnerable to EternalBlue and therefore, also to the Petya Ransomware outbreak. Organizations should continually assess their networks using a reputable Vulnerability Management scanning solution in order to gauge what systems are vulnerable to the EternalBlue issue. Organizations should also patch their Windows systems for this, or take mitigation actions, such as disabling Server Message Block (SMB) temporarily on affected systems.”

What's the attacker's return on investment?

Such longer-term solutions make sense, because ransomware's not going anywhere. It will be on the threat landscape for the foreseeable future. Terry Ray, chief product strategist at Imperva, said in an email, “Surging in popularity, ransomware is now one of the most profitable types of malware attacks in history. Cybercriminals have discovered how financially rewarding—and easy to use—it can be, especially against larger targets with business-critical data stored on file shares. In the decade since its initial appearance, the ransomware extortionate has evolved from a collection of ad-hoc tools implementing an unripe idea and run by callow hackers, to a smooth and highly efficient ecosystem run by professionals and filling the hacker’s most desired void: the path from infection to financial gain." 

It's a commodity threat, and the way to deal with commodity threats is to reduce the attacker's return on investment. 

Ray added, “In the past, ransomware did not appear on the threat list for organizations, mostly due to their backup systems and recovery procedures for data loss situations, which were designed with natural disasters in mind, but could be useful for ransomware as well. This situation has changed drastically with the recent explosion of ransomware attacks. Now it is hard to tell whether these infections occurred randomly (such as when an individual opens an infected personal e-mail), or if the attack has been carried out intentionally by someone deliberately looking to cause damage to a company. Another possibility is that a bad actor could enlist a user-friendly ransomware service that can be easily deployed with very little technical skill, known as ransomware-as-a-service. However, the good news is there are in fact a number of effective ways to defend against ransomware.

 “The history of cyber events has taught us that as good as perimeter and endpoint protection may be, security officers should assume that eventually the attackers will find their way in. Data breaches and ransomware attacks both have a common meeting point, which is the place where data resides.

“A critical line of defense for both types of attacks is the security controls where this data is stored—databases, files and cloud applications— and in the applications through which it is accessed. Such security controls, which include monitoring access, specifically around data modification and detection of suspicious anomalies in access patterns, will facilitate early detection of ransomware attacks and immediate isolation of the suspicious endpoint to prevent the encryption or hostage of the files.”

Update, 6.29.17: It seems increasingly likely that the attacker's goal is disruptive and not financial. In any case, if you're a victim of this attack, responding to the ransom demand will be futile. Forcepoint advises, "We strongly recommend not paying the ransom. There is no longer a mechanism to give the victim the decryption key for paying the ransom as the email address to communicate with the attacker has been deactivated. The payment mechanism is very weak and is linked to just a single email address, which is no longer accessible. Even if a victim were to pay the ransom into the appropriate BitCoin wallet the attacker now has no means to share the decryption key. Obtaining unencrypted files is now much more problematic, although decryption tools may soon become available from third parties. Occasionally a business may decide to pay the ransom demand, but in the case of Petya it is no longer worthwhile." Other security companies, including Cyxtera, agree: don't pay.

Suggestions for future development...

Ray's Imperva colleague, Itsik Mantin, Imperva's director of security research, looks to the future of security development and sees more artificial intelligence. “These increased attacks point to the need for solutions like artificial intelligence and machine learning. Often the output of today’s cyber security products is overwhelming amounts of data and alerts for the security team to sift through and act upon. These solutions are programmed to learn as much as they can about any given situation. Theoretically, a properly programmed piece of AI software could perform the same preventative and analytical security measures as a member of the IT staff in a fraction of the time. 

“Machine learning technology is already employed in the detection of malicious mail messages and malware, two of the main infection vectors of ransomware. However, it is a race in which the attacker is often one step ahead of IT. IT needs to win all the battles in order to win the war against the attackers who only need a single successful attempt at access to win.”

Eyal Wachsman, CEO of Cymulate, sees a danger of organizations lapsing into a false sense of security. “Organizations spend billions of dollars on security solutions every year and may relax into a false sense of safety," he said in an email. "They need to reduce the investment on security solutions and invest in continuously assessing their security controls. This recent campaign justifies the need for continuous and on-demand testing of the security posture especially within the highly used attack method which is the email vector, since it is known that 75% of cyber-attacks originate from this vector. CISOs must have the ability to assess their overall security posture and predict evolving threats at any time.”

Michael Patterson, CEO of Plixer, is another expert who emphasizes the importance of patch management and backup. "Organizations must have strong data back-up systems and processes in place and they need to have network traffic analytics to monitor for anomalous behavior. As soon as these ransomware attack profiles are understood. Organizations can reduce risk of infection and spread of infection by monitoring for any traffic fitting the profile, as well as monitoring for any connections out to command and control servers.”

Ermis Sfakiyanudis, CEO of Trivalent, said, “This latest ransomware outbreak is yet another example that encryption alone—no matter how well implemented—is no longer ‘good enough’ to protect data against next generation threats. The only way to get ahead of these increasingly sophisticated threats is to approach data breaches as an inevitability and protect data at the file level so, even if a system is breached, the information remains completely unusable to unauthorized users.”

...but don't expect a silver bullet.

We'll give the last word to Vectra Networks’ Chris Morales, head of security analytics, who wanted to interject some realism into vendor claims about protection against Petya. “Any security vendor saying they could completely protect an enterprise from this form of attack isn’t being honest," Morales said, "because the attacker just needs to succeed once and the attack surface is too large. By adding worm-like spreading to PetWrap, the attacker has created a pyramid scheme that encrypts the boot record of the computer, not just the files, which makes this attack far more fatal. By the time you find one infected machine, you can assume dozens more have been infected, turning this into a light-speed game of whack-a-mole from a security perspective. The NSA designed these tools to specifically bypass existing security solutions, so it’s no surprise that the industry will be playing catch up for the next several months."