Following closely on the heels of WannaCry, a new ransomware variant known as Petya began sweeping across the globe, impacting a wide range of industries and organizations including critical infrastructure such as energy, banking, and transportation systems. FortiGuard Labs sees this as much more than a new version of ransomware. Rather it is representative of a new wave of multi-vector ransomware attacks that Fortinet is calling “ransomworm”, which takes advantage of multiple, timely exploits. In doing so, ransomworm is designed to move swiftly across multiple systems on its own, rather than staying in one place or requiring end user action.
And rather than focusing on a single organization, this type of attack uses a broad-brush approach that targets any device it can find with one or more of the target vulnerabilities to exploit. In this case, it appears that the attack can start with the distribution of an Excel document that exploits a known Microsoft Office vulnerability. However, because additional attack vectors were used (such as delivery via Windows Management WMIC), patching alone is inadequate to completely stop this ransomworm, which means that patching needs to be combined with good security tools and practices.
The Fortinet Security Fabric is providing comprehensive protection against the Petya ransomworm through several integrated and automated means, including automatic intrusion detection/prevention (IPS/IDS), malware protection (anti-virus), real-time analysis of suspicious code (FortiSandbox), and automated information sharing and more.
As the patch for one of the exploited vulnerabilities was issued by Microsoft earlier this year, we advise organizations to update their systems immediately. Older legacy systems and critical infrastructure are particularly vulnerable to this attack. However, given the multiple attack vectors, further security measures are needed.
Our advice for organizations seeking to protect themselves from this malware include:
- Back up your critical systems’ files, and keep that backup offline
- Ensure you have a ‘gold standard’ operating system disk and configuration, to allow you to reconstruct your desktop with confidence
- Check the currency of your patches
- Don’t execute attachments from unknown sources
- Push out signatures and AVs
- Use sandboxing on attachments
- Use behavior-based detections
- At firewalls, look for evidence of Command & Control
- Segment, to limit the spread of the malware and backup data being encrypted
- Ensure that Remote Desktop Protocol is turned off, and/or is properly authenticated, and otherwise limit its ability to move laterally.
- If affected, don’t pay
- Share fact-of infiltration with trusted organizations, to assist with overall community efforts to diagnose, contain, and remedy