In the wake of the major Petya Ransomware outbreak; Trend Micro shares an approach for enterprises to tackle it
An increasing number of companies across Europe, Ukraine, Russia,and the US are falling victim to another cyber attack after the outbreak of recent Wanna Cryransomware attack. This large-scale ransomware attack is reported to be caused by a variant of the Petya ransomware and is currently hitting various users. The ransomware is known to use both the Eternal Blue exploit and the PsExec tool as infection vectors and is detected as RANSOM_PETYA.SMA by Trend Micro. “Similar to WannaCry ransomware, the Petya ransomware exploits SMB vulnerability, passing through SMB protocol, and exploits vulnerability which lies in Microsoft Operating System. Toprevent the ransomware attack, firstly, companies should have proper segmentation of their network, most companies have horizontal network and there is no proper segmentation of network because of which the exploitation spreads very fast. The critical network and server should be properly segmented so that the penetration does not go beyond the segmentation of the network. Second thing is that companies must deploy host based intrusion firewall. They must enable firewall rule so that they can block the traffic coming from unknown sources. They also should make sure they patch the systems immediately,” said Mr. Nilesh Jain, Country Manager (India and SAARC), Trend Micro. He further added, “Companies who have been impacted should segment their infected are as from the rest of the network, so that it doesn’t propagate further. The problem is that, these kinds of ransomware attacks keep on coming and you cannot keep on patching the moment the attack comes in. Our advice to the companies is to make sure that they have a proactive mechanism of protecting from the vulnerability and to deploy Trend Micro Deep Security which works in the same direction. Trend Micro also protects its customers against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen™ security. Also, our technical support representatives are constantly available to resolve customer queries and we are conducting webinars to create awareness among companies and individuals.” Trend Micro discovered that this Petya variant uses an advanced method to extract informationfrom the infected system. Aside from the use of the EternalBlue exploit, there are othersimilarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hard coded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line (WMIC), which is aninterface that simplifies the use of Windows Management Instrumentation (WMI). Below mentioned are some of the detailed steps that organizations can take to reduce the riskof infection by the variant of petya malware: Patch and update your systems, or consider a virtual patching solution. Enable your firewalls as well as intrusion detection and prevention systems. Proactively monitor and validate traffic going in and out of the network. Implement security mechanisms for other points of entry attackers can use, such asemail and websites. Disable TCP port 445 Restrict accounts with administrator group access Deploy application control to prevent suspicious files from executing on top ofbehavior monitoring that can thwart unwanted modifications to the system. Employ data categorization and network segmentation to mitigate further exposureand damage to data. Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft. Ensure that all of the latest patches (if possible using Virtual Patching solution) areapplied to affected operating systems – especially the ones related to MS17-010.