As you’ve probably read in the news by now, there is another global ransomware attack that surfaced around 8am EST yesterday. This attack is a variant of the Petya attack that occurred last year. This particular attack, like WannaCry last month, uses the SMB vulnerability in Windows, an exploit code-named “EternalBlue” which was developed by the NSA, stolen and published by the Shadow Brokers hacker group, and which was patched by MS17-010 in May. The main differences between this event and Wannacry are:
- WannaCry only encrypted files. This attack encrypts entire hard drive contents.
- WannaCry only spread to unpatched machines via the SMB protocol. This attack also uses WMIC as well as PSExec and can affect systems that have been patched with MS17-010.
The initial infections were in Europe, with a few in the US and the Ukraine. However, as of this morning it has spread to the Asia-Pacific area, and appears to be continuing its propagation.
Particularly vulnerable organizations include:
- Organizations without qualified IT staff
- Organizations without a centralized, monitored, and automatically updated antivirus/antimalware solution with current subscription.
- Organizations without a current security subscription on their perimeter device.
- Organizations whose copies of Windows operating systems are pirated/unlicensed, expired (XP, 2003, etc), and as such are unpatched.
- Organizations whose employees are not trained on security best practices, including safe web browsing and email practices.
Mitigating factors for NetWatch clients:
- The SonicWall CGSS has had signatures for Petya and its variants since March 2016. The April 2017 update included protection for the EternalBlue exploit. So SonicWall clients with current CGSS subscription are protected from this exploit.
- Webroot antivirus protects against both the Petya attack and the EternalBlue exploit.
- The Datto BDR device has image-based backups both on the device and in the cloud. These backups are stored on segregated file systems to prevent them from becoming compromised in an attack.
What you can do:
- As always, do not open any attachment you receive from an unknown user. Even attachments from known users should not be opened unless you are expecting them.
- Examine all incoming email for suspicious patterns including variations of sender name, address, signature, format. Basically be on the lookout for anything out of the ordinary.
- Practice safe web browsing. Avoid unknown/untrusted sites as much as possible. Avoid downloading files from the web whenever possible. Try to use secure browsing (URL’s starting with “https”) whenever possible.
- Let us know if you see anything questionable or out of the ordinary. Better safe than sorry.
Feel free to forward to your team, or anyone you feel might benefit from this info.