Advisory on Petya Ransomware Outbreak
On 27 Jun 2017, many organisations in US, Europe and Middle East were hit by the global spread of a ransomware inspired by WannaCry. Identified as Petya, it has been reported that this variant is more dangerous and intrusive as it can encrypt the Master File Tree (MFT) tables for NTFS partitions and overrides the Master Boot Record (MBR) with a custom bootloader to display a ransom note and prevents victims from booting up.
This version of Petya is reported to be spread via email spam with booby-trapped Office documents. The documents, once opened, will download and run the Petya installer and execute the SMB (Server Message Block) worm to spread to other computers. It exploits the similar SMB vulnerability that WannaCry did, and spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows.
What should businesses do to stay secure?
Cyber Security Agency's SingCERT (Singapore Computer Emergency Response Team) has issued the following recommendations:
• All users and companies with systems listed below should ensure that their windows-based systems are fully patched. This includes the MS17-010 patch that resolves vulnerabilities in Microsoft Windows
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7
- Windows XP
- Windows Vista
- Windows Server 2016
- Windows Server 2012 and Window Server 2012 R2
- Window Server 2008 and Windows Server 2008 R2
• Users should ensure that their anti-virus software is updated with the latest malware definitions.
• Users should perform file backups and store them offline in case they need to restore their systems following an attack.
What should businesses do if they are compromised by the ransomware?
Cyber Security Agency's SingCERT (Singapore Computer Emergency Response Team) has issued guidelines if systems are infected with ransomware:
- Remove the Network connection from your Computer. This could be done by removing your network cable or shutting down the wireless function on your computer. By doing so you are preventing the spread of this ransomware.
- Start rebuilding your effected computer, be it laptop or workstation.
- After you have rebuilt the infected workstation, patched it with the recommended patch and restore your system from the backup you have made.
For further advice, businesses can reach out to StarHub or SingCERT.
Best Practices for Cyber Security preparedness
Organisations should adopt a proactive approach towards cyber security rather than a reactive stance. As part of cyber security best practices, businesses need to take a 360 view of their holistic security architecture beyond a single point of protection. Some of the best practices to adopt include:
- Preparing and protecting against a breach by having on hand usable threat intelligence and actively managing vulnerabilities. A successful cyber security defence plan would include well trained security personnel to defend and detect intrusions from perimeter defence down to end-point to handle potential threats.
- A robust cyber security operations would encompass Network Security, Web Security, Cloud Security and End-Point (including mobile) Security.
- Organisations need to be able to respond and recover effectively by employing active defence strategies and actively managing security incidents. Basic hygiene such as patch management and backup are essential as well as having an incident response plan to handle everything from a zero-day vulnerability to a large-scale breach.
What can StarHub do to protect businesses against this attack in real-time?
For ransomware, StarHub’s Managed Endpoint Detection and Response (EDR) Solution, powered by enSilo's technology, can help to protect against WannaCry, EternalBlue exploit and advanced ransomware out-of-the-box through our in-depth inspection of operating system instructions.
EDR is a category of tools and solutions that focuses on detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints. This solution can spot and block the WannaCry attack since it was an unmapped executable (i.e., an unrecognized or disallowed file) - a floating file which is a violation of the operating system normal procedures.
StarHub’s Managed EDR solution protects against threat actors from exfiltrating your data and performs:
- Behavioural analysis of actions that post potential threat to data
- Real-time threat detection at OS-level
- Real-time retroactive review - down to source
- Frictionless security; continuing work even on compromise system
To learn more about how StarHub can help strengthen organisation’s security posture, or to know more about EDR protection against ransomware, please contact your account manager or call 1800 888 8888 or email firstname.lastname@example.org.