5 Things Partners Need To Know About The New Global Ransomware Outbreak
Another Month, Another Ransomware Attack
A second massive ransomware attack began Tuesday and continues to infect companies across the globe. The outbreak – which comes on the heels of the massive WannaCry outbreak last month – has caused many corporate operations to grind to a halt as machines across their network were infected by the malware, which prevents a machine from rebooting, encrypts user data and demands a $300 ransom to unlock machines. As partners look to protect their clients from this latest global outbreak, here's what they need to know about the attack targets, how the ransomware is spreading, and what can be done to prevent it.
Who Did It Hit?
The ransomware outbreak hit businesses in 64 countries, including Russia, Denmark, Spain, the United Kingdom and the United States. Ukraine was particularly hard hit, with reports of systems compromised at the country's central bank, state telecom, local metro, electricity supplier, and airport. In the U.S., businesses affected included hospitals, legal firm DLA Piper, and pharmaceutical giant Merck. The attack also hit global shipping container giant AP Moller-Maersk.
What Type Of Malware Is It?
Kaspersky Lab researchers initially said the malware appeared to be a variation of the Petya malware, but now says it is "not yet clear what exactly the new ransomware is." What is known, the researchers said, is that it leverages a modified EternalBlue exploit, which leverages the SMB transport protocol in Windows machines and was released as part of the Shadow Brokers dump of possible NSA exploit tools earlier this year. The malware is now going by several names on the Internet, including Petya, Petrwrap, NotPetya and exPetr, Kaspersky said.
How Does It Spread?
The malware targets companies with Microsoft Windows operating systems. Some reports say the initial vector for the attack was a update in the MeDoc software suite, used by many of the affected organizations. Kaspersky said the attack involves several attack vectors, including a modified EternalBlue exploit, the EternalRomance exploit that targets Windows XP to Windows 2008 systems, and an update mechanism of Ukrainian software company MeDoc.
How Is This Different From WannaCry?
While the current global ransomware outbreak has many similarities to the WannaCry attacks last month, it is also very different. Both attack outbreaks leveraged the EternalBlue exploit, though the more recent attacks also leveraged other exploit vectors. Alton Kizziah, vice president, global managed services, Kudelski Security, said this most recent attack appears to be "more professionally written" than WannaCry, using built-in Windows tools to move laterally within an environment upon infection and multiple attack vectors that makes it harder to prevent with a single patch. The new ransomware campaign also appears to spread differently in the network, leveraging a weakness in Windows' SMB (like WannaCry) as well as extracting credentials and the abuse of PsExec or Windows Management Instrumentation (WMI) for administer access to network.
What Steps Should You Take To Prevent?
Kudelski Security's Kizziah recommended starting with the basics, including making sure your basic cyber hygiene is intact, including knowing where your assets are, patching, and vulnerability scanning and management. Other researchers also added having anti-malware protections in place, making sure Windows and all third-party software is updated, backing up sensitive data offline, and enforcing with employees the importance of not running attachments from untrusted sources. They also suggested recommending users shut off machines as soon as the see signs of infection to prevent it from spreading. With this ransomware outbreak in particular, Kaspersky Lab said additional precautions could include checking all protection mechanisms are active, denying access to applications with "perfc.dat" and PSexec utility and blocking the execution of PSExec utility.
There have been some reports of a kill switch built into the malware, as there was with WannaCry, but these are not confirmed. The reports said the malware would not encrypt machines if it found a local file with its name already on the disk. The reports said users could create that read-only file on PCs to block the malware, though that does not appear to be a long-term solution.