Global ransomware strikes again with Petya—now what?

Posted by Kevin Hutchinson, CISSP on Jun 28, 2017 4:14:23 PM


Kevin Hutchinson IGI

Right after the WannaCry ransomware attack, our CISO Edward Nadareski released an article titled “Preparing for the next big hit” and in light of yesterday’s Petya ransomware attack, it looks like he was spot on. In his article he outlined three critical steps to securing your infrastructure against these type of attacks. Those steps include:

  1. Keeping systems updated with appropriate patches and security releases
  2. Continuous training of staff to increase their security awareness
  3. Frequent, validated backups of your critical systems

Cyber threats like WannaCry and Petya are not going to go away, and the consensus in the security industry is they are only going to get worse. So, what else can you do?


The Firewall Approach

Every firewall has one default rule, implicit deny all. In other words, it will not allow any traffic to flow in or out of your network unless you configure to do so. Too often administrators leave too many ports open internally because there is a presumed need without validation. In the case of Petya, it took advantage of a known vulnerability in the Server Message Block (SMB) protocol that allowed the virus to rapidly propagate through networks and infect other machines. If you aren’t using SMB for communication on your network then there is no need to allow any traffic on TCP ports 445 or 139.  Reevaluate which ports are open on your network and ask the critical question, “Why?”


Every Email is Suspect

We have been telling people for over a decade to not open emails or attachments from people they don’t know, but it still happens every day which is why phishing campaigns are so successful.  If you aren’t expecting an email from someone and it appears in your inbox, approach it with caution.

Let’s say you have been discussing a project with someone we will call “Bob Somebody.”  You normally get emails from his corporate email account but you just received one from and it has an attachment such as a PDF, spreadsheet or some other document. Do you presume he sent it from his personal account and open anyway? If so, you put yourself at risk for being hit with ransomware or any number of other malicious threats. Treat the email as suspect and reach out to Bob to validate that he did send you an email from his Gmail account and verify the email address.


Looking Beyond the Obvious

Say you got hit with WannaCry or Petya and paid the $300 to get your data back. So, once you pay the world is a happy place again, right? Not so fast. Just because your data is no longer encrypted doesn’t mean you are in the clear. It is highly likely that the ransomware was a smoke screen for something else. It’s possible that some other payload was delivered to your machine that will allow the attacker remote control of your computer. If you were infected, now is the time to run a deep scan of your computer with a viable endpoint solution, as well as look for unusual traffic leaving your network.

Updating your systems to current patch levels is almost always prudent, but patching is no guarantee that your systems won’t be impacted. Contact IGI today to better understand how to protect your systems from attacks like these.

Topics: security