RSS

Tag Archives: wanna cry

Don’t be ‘Petyafied’!

Image result for petya check point

Just when the world was recovering from the crisis caused by wannacry – there’s yet another bump in the wire and this time its far more serious than its predecessor. Yes, its’ PETYA.

** By predecessor it’s implied a ransomware although there’s minimal to no relation between these two

First things first – Petya looks like an attempt in all muscle and power to bring down ‘Ukraine’. There’s already mounting evidence that Petya’s focus on Ukraine was deliberate. The initial attacks were limited to just a few specific infections, all of which seem to have been targeted at Ukraine. The highest-profile one was a Ukrainian accounting program called MeDoc, which sent out a suspicious software update Tuesday morning that many researchers blame for the initial Petya infections. Attackers also planted malware on the homepage of a prominent Ukraine-based news outlet, according to one researcher at Kaspersky.

Underline is – The attackers had complete control over where they planted Petya (at least initially) and they chose to plant it in some of the most central institutions in Ukraine.

Now, let’s get to the nuts and bolts of this new kid on the block.

How Petya commences and proceeds?

Petya takes over computers of its victims and demands $300, in Bitcoin. It spreads rapidly across an organization once a computer (first in the organization – known as patient zero) is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. “It has a better mechanism for spreading itself than WannaCry,” said Ryan Kalember, of cybersecurity company Proofpoint. However, unlike WannaCry, ‘Petya’ tries to spread internally within networks, but not seed itself externally.

How to temporarily and permanently stop the infection?

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine. This is a temporary and corrective measure. For a permanent and preventive approach, make sure the Windows OS is patched with latest patches from Microsoft and you AV/HIPS or host firewall software are updated to protect against this threat.

What if my system is already infected and encrypted?

If your system reboots with the ransom note, please don’t pay the ransom – the attacker’s email address has been shut down by the email provider so there’s no way to get the decryption key to unlock your files anyway. The best way to move forward is to disconnect your computer from the Internet, reformat the hard drive and restore your files from a backup.

** Backing up your files regularly and keep your anti-virus software up to date are highly recommended.

What software can I use to protect against Petya?

One of the post popular host firewall and AV solutions is Zonealram https://www.zonealarm.com/

If you already have any AV software make sure to update. Windows updates as mentioned earlier will help prevent the infection.

It’s one thing about individual PC’s however, what can I do to protect my Enterprise wide network?

Well, there are a couple of ways to offer preventive defense. One is, to segment your network (normal subnet based or micro segmentation using SDN) so to protect critical systems from other user facing systems. This also offers capability to protect between the layers of network, storage, compute and so on within your private DC or your cloud ecosystem. Checkout Check Point’s vSEC solution https://www.checkpoint.com/products/vsec-virtual-edition/

The other approach is to have your existing or new firewall gateways to offer Advanced Threat Protection (ATP) as well as endpoint agents offer advanced Sandboxing and on the host defense capabilities. Checkout https://www.checkpoint.com/products-solutions/zero-day-protection/ and https://www.checkpoint.com/products-solutions/threat-intelligence/

Hope this article helps you be protected from nasty threats and conduct business as usual.

Advertisements
 
Leave a comment

Posted by on July 1, 2017 in Cyber Security

 

Tags: , , ,

I don’t ‘Wanna Cry’ – And that’s for a fact!

So, there’s been a rant about the Windows vulnerability and un-patched systems being exploited by Wanna Decryptor. Well, while some of that is supposedly the user’s fault (why to click on something you’re not sure of what it is) and some of it is fault of the way the ransomware has been described in the wilderness. Why the latter you may ask? Simply because, there’s been a lot of hoax and noise about what seems to be yet another ransomware attack – only this time it is related to a vulnerability that was supposed to be fixed only if the users updated Windows.

Apart form the noise, here are some facts and finds pertinent to this specific ransomware.

The malware itself: Wanna decryptor (wncry) ransomware is reported to be based on a tool developed by the NSA to hack into computers. The NSA tool was used by a hacker group called the Shadow Brokers. The code is publicly available and can be found in https://github.com/RiskSense-Ops/MS17-010

Delivery: The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a web page or a Dropbox link.

Activation and exploit: Once wncry is activated, the ransomware spreads through the computer and locks all the files. Once the files have been encrypted wncry deletes the originals and delivers a ransom note in the form of a read me file. Moreover, it changes the victim’s computer’s wallpaper to a message demanding payment to return the files.

The specifics: wncry malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect.

Mitigation: Use latest AV definitions, personal / corporate firewalls, and don’t click on anything that doesn’t sound right.

Repercussion: $300 ransom to be paid to un-encrypt your data.

Story from Microsoft: Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch.  Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities. Either way, here’s the location of the security update https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Summarizing – this is a big outbreak and getting to know the malware well before running into it serves well. Patch your Windows machines and make sure the AV signatures are updated. And above all, don’t click on anything unintended or unaccounted for.

 
Leave a comment

Posted by on May 15, 2017 in Security Posts

 

Tags: , , , ,