Petya Ransomware Attack
News is currently breaking about a new widespread Petya ransomware attack, striking large multinational companies across Europe, with Ukraine’s government, banks, state power utility and Kiev’s airport and metro system particularly badly affected. IT security experts commented below.
Ermis Sfakiyanudis, Cybersecurity Expert and CEO at Trivalent:
When Petya was first submitted to VirusTotal, only two vendors were able to detect it, leaving many systems defenceless if they are unmatched and rely on AV.
WPP, the advertising and branding firm, appears to have been completely compromised.
Chris Goettl, Manager, Product Management at Ivanti:
Several critical vulnerabilities with known exploits or proof-of-concept code should be prioritised. The SMB exploits (Eternal Blue and its relatives) addressed in Microsoft’s March Patch Tuesday update are only the beginning. These are reportedly the same vulnerabilities that the latest Petya variant employs. We shouldn’t rely on a kill switch to save the day, either.
In addition, two more updates for known vulnerabilities, released on June Patch Tuesday, warrant attention.
CVE-2017-8543 – A vulnerability in Windows Search could allow an attacker to take complete control of the system. It could also be exploited over the network without authentication through SMB. It was flagged as “Exploited” when Microsoft released the update on June Patch Tuesday.
CVE-2017-8464 – A vulnerability in Microsoft Windows could allow remote code execution if an LNK file is processed. An attacker could craft a shortcut icon that provides the same rights as the local user. It’s a perfect USB drop scenario.
Microsoft went a step further, given recent attacks, and released updates for XP, Vista, and 2003 – The updates go as far back as MS08-067, which plugged the vulnerability Conficker used to infect more than 15 million machines back in 2008.
Make sure you have the latest cumulative Security updates for Windows 7 and Server 2008 R2 up through Windows 10 and Server 2016 in place. This covers the Eternal family of vulnerabilities and the two latest known exploited vulnerabilities.
If you’re using the Security Only bundle rather than the Monthly Cumulative Rollup, you’ll need the Security Only bundle from March, April, or May to fix the original SMBv1 vulnerabilities. The June Security Only bundle is also required to resolve the two most recent exploits, including the new SMB vulnerability. The following KBs should be installed depending on your operating system:
Windows 7\Server 2008 R2
March: KB4012212
April: KB4015546
May: KB4019263
June: KB4022722
Windows Server 2012
March: KB4012214
April: KB4015548
May: KB4019214
June: KB4022718
Windows 8.1\Server 2012 R2
March: KB4012213
April: KB4015547
May: KB4019213
June: KB4022717
For those of you still running Windows XP, Vista, 8, or Server 2003, we recommend you have all the Bulletins and KBs described in the document in place on your systems. All are publicly downloadable, even those released after end of life for each operating system.
Finally, if you haven’t yet, here are some additional security controls you should implement to defend against attacks like this:
Application control – Whitelisting can help you defend against untrusted payloads and is one of the most effective security measures to defend against ransomware. Patching plugs the holes attackers use to get onto a system, but in the case of zero days and fileless attacks, whitelisting can block the payload trying to execute.
Threat protection – Antivirus (AV) can’t be considered a first line of defense. In most cases, the latest attack could hit several systems before AV catches up to defend against it. Attacks like Wanna Cry and Petya can spread so quickly that AV can’t stop them before the damage is done. That said, though? AV is still a necessary layer of defense that can limit propagation and stop attacks in their tracks.
HIPS (host intrusion prevention system) – While often more difficult to tune, making them harder to implement, HIPS or IPS systems are a great line of defense against attacks such as this. The SMB exploits follow reference implementations a HIPS system could identify, report on, and shut down before the attack hits the system.
User education\training – With WannaCry and Petya, exploiting SMB was likely not the first entry point into environments. It was more likely user-targeted attacks (phishing, drive-by downloads, watering hole attacks, etc.), or possibly systems attackers already controlled using CnC infections they put in place earlier. From there the malware used the SMB vulnerabilities to spread rapidly. Any one entry point is enough, if you have not patched those vulnerabilities, so user awareness is important.
Backup and restore – With ransomware so commonplace, it’s even more important to have backup software at critical endpoints. With WannaCry, and so far with Petya, the number of ransoms paid was very small. Having a recent backup allows companies to re-provision and restore user data quickly to get back up and running.
Provisioning – Having a Unified Endpoint Management (UEM) solution seems like an operational issue: it enables the team to manage systems in a heterogenous environment. But there are Response capabilities in that UEM platform that are essential to combat cyber threats today. Any credible security practitioner will say that paying the ransom is a bad idea, and that having good backups and re-provisioning the system and restoring the data is the more efficient way to recover from a ransomware attack.
Gordon Mackay, EVP, Chief Technology Officer at Digital Defense:
Organizations who have not yet patched for the MS17-010 SMB vulnerability are vulnerable to EternalBlue and therefore to the Petya Ransomware outbreak. Organizations should continually assess their networks using a reputable Vulnerability Management scanning solution. They should also take mitigation actions, such as disabling Server Message Block (SMB) on affected systems.
Eldon Sprickerhoff, Founder and Chief Security Strategist at eSentire:
GoldenEye is a particularly virulent strain of the Petya ransomware that leverages the exploits associated with WannaCry. Like its predecessor, GoldenEye makes decryption very difficult. Businesses relying solely on anti-virus systems will be incapable of detecting GoldenEye.
Attacks like this will increase in frequency and sophistication, NCERT chief Bruce Eldon has warned. Businesses worldwide should treat this attack as an early warning, and ensure backups and system patches are up-to-date, and tested.
Philip Lieberman, President at Lieberman Software:
“In comparison to the United States, the quality and nature of cybersecurity in Europe is generally extremely poor. Government and industry are not cooperating as they are in the United States, and security investment is comparatively very low in comparison to here. At its core, Europe is a soft target for cyber attacks, and little has been done to prepare for or respond to such attacks. Because of cultural and financial decisions made in the last 20 years, both government and business have minimal information technology security infrastructure and preparation.”
Jonathan Sander, CTO at STEALTHbits Technologies:
“While Petya ransomware has infected businesses in Ukraine, the reasons are not novel. According to reports, this is a phishing attack that is infiltrating organisations and spreading via the same vulnerabilities used by WannaCry and even older malware.
It’s difficult to imagine that these organisations didn’t have some system administrator or security professional pleading for resources to fix these well-known and fully exploited issues.
We shouldn’t be surprised if business leaders experience cyber security heart failure if they ignore their security professionals’ advice to “eat right and exercise.”
Organizations will be victims of common attacks as long as basic security issues are not addressed.”
Amichai Shulman, Co-Founder and CTO at Imperva:
“At the end of the day, all ransomware is essentially the same.” Hackers use ransomware malware to make files inaccessible to users, disrupting operations. As long as the ransomware infection and effect are limited to end points, the damage to organisations should be minimal. This is crucial.
“Why are systems still unpatched after WannaCry?” some may wonder. Patching is meaningless when dealing with potentially self-replicating malware like Petya because every large network contains some unpatched devices. Instead of focusing on endpoints, organisations can reduce the impact of such incidents and avoid business disruption by protecting file servers (e.g., by deploying file firewall solutions).
Petya’s unmistakable attribution is one of her most intriguing characteristics. Wanna Cry demonstrated that rapidly replicating ransomware is not a viable financial model. This data backs up the argument that this malware is being driven by a nation state and is only meant to disrupt operations rather than monetize the ransom.”
Csaba Krasznay, Security Evangelist at Balabit:
“In this stage, incident management and real-time information flow are critical, based on the lessons learned from the WannaCry ransomware incident.”
Organizations must take precautions to avoid causing additional harm during these critical hours. Security personnel should collect all evidence for forensic examination. Keep track of all of their log messages and activities, for example, with session management solutions in case the system needs to be restored due to human error.”
“The five typical stages of ransomware spread are:
* 1st step: Endpoint isolation: Infected endpoints must be isolated as soon as possible. Remove the power cable as soon as you notice the malware!
* 2nd step: Gathering information: what is it, how does it work, and how can you manage it? Are national CERTs made available? Examine the most effective platforms for information sharing: these are typically Twitter and security blogs, in addition to informal company communications.
* 3rd step: Filter the infected protocol from network traffic using network segmentation. It’s a difficult risk assessment decision: should you stop malware spread or keep business processes running?
* 4th step: When anti-virus vendors spread their signatures for Petya ransomware, use IOCs, update IDS and firewall rules, AV systems, servers, and as many clients and servers as possible.
* 5th step: Keep your fingers crossed: Keep an eye out for what’s next. Perhaps a future variant? Have all of the systems been patched? Is the company afraid to make headlines? Did they make a mistake in their haste? ”
Chris Fearon, Based in Belfast, Director of Security Research at Black Duck Software:
“In this stage, incident management and real-time information flow are critical, based on the lessons learned from the Wanna Cry ransomware incident.”
Organizations must take precautions to avoid causing additional harm during these critical hours. Security personnel should collect all evidence for forensic examination. Keep a record of all of their log messages and activities, for example, with session management solutions in case the system needs to be restored due to human error.”
Ryan Wilk, Vice President, Customer Success at NuData Security:
“Last month, the malware problem grew.” A multi-layered approach, including employee education about unusual links, phishing emails, and social engineering concerns, is clearly required. Patches, routine backups, and impenetrable barriers to entry must all be kept up to date on an organisational level. Wanna Cry has most likely emboldened cybercriminals all over the world. Today’s Petrwrap exemplifies its ubiquity.”
Paul Fletcher, Cybersecurity Evangelist at Alert Logic:
“The malware problem grew last month.” A multi-layered approach that includes employee education about unusual links, phishing emails, and social engineering concerns is clearly required. Patches, routine backups, and impenetrable barriers to entry must all be kept up to date on an organisational level. The Wanna Cry attack is likely to have emboldened cybercriminals all over the world. Today’s Petrwrap exemplifies how widespread it is.
Rich Barger, Director of Security Research at Splunk:
- Ransomware attacks on nation states and Fortune 500 companies on a monthly basis have become the new normal.
Petya is a ransomware strain that is the evil twin brother of WannaCry. The strain is extremely widespread, affecting nearly every country in Eastern Europe, and Petya is rapidly spreading into Western Europe.
Russian banks claim that email phishing is the initial infection vector, but this has not been proven. - The situation is currently very fluid, and many in the information security industry are only now beginning to assess the situation..
- Whether it’s Petya, WannaCry, or another strain, the repetitive nature of ransomware attacks requires security analysts to rethink their security strategies.
At its core, ransomware is a data availability issue. If CISOs implement continuity of operations, they will encapsulate the problem that Ransomware poses to their organisation.
Matthias Maier, Security Evangelist at Splunk:
- Many organisations that provide critical infrastructure are being impacted by this evolving attack.
The sophistication and severity of ransomware attacks have reached new heights. The time has come when a cyber-attack can cause a total blackout and disrupt society’s lifeblood - Organizations affected by Petya need to react quickly and analyse the situation by looking deep into their infrastructure to check how they can stop the damage in their environment and bring their systems back. Then they need to examine what happened, how the threat got in and identify the weak point in order to fix it.
- The organisations who have a computer emergency and response team (CERT) in place and a platform where they can quickly investigate what happened will have an advantage and will soon be back online. For investigators, the hackers’ fingerprints and crucial evidence they are looking for will be found in the machine data of their digital infrastructure.”
Fraser Kyne, EMEA CTO at Bromium:
“It just goes to show that in security, lighting does strike twice, and businesses that fail to learn from the mistakes of others will pay the price.” Despite the fact that most businesses should have patched systems vulnerable to EternalBlue following WannaCry, hackers have wreaked havoc by tweaking an existing strain of malware and releasing it into the wild, bypassing most detection-based AntiVirus solutions. According to VirusTotal, at the time of writing, only 16 of 61 AV vendors had detected the ransomware.
“With new strains of malware emerging every second, organisations can no longer rely on a detection-based approach.” Instead, businesses should look for solutions that enable malware to run in a completely isolated, secure environment, eliminating the risk posed by malicious documents and zero-day exploits.”
Raj Samani, Head of Strategic Intelligence at McAfee LLC:
“McAfee has received numerous reports of modified Petya ransomware variants.” McAfee Labs is analysing these samples and providing advice to customers on how to address the threat in their environments.
“While this outbreak does not appear to be as widespread as WannaCry, the number of organisations affected is significant.” Based on the data we have right now, it appears to be using the same propagation method as WannaCry. Anyone running an operating system that has not been patched for the vulnerability exploited by WannaCry may be vulnerable to this attack.”
Gavin Millard, Technical Director at Tenable Network Security:
“The ransomware appears to be a new version of Petya with characteristics similar to WannaCry, using ETERNALBLUE to spread to other systems before encrypting files and demanding payment.” The inclusion of exploit code for another known vulnerability, CVE-2017-0199, affecting Microsoft Office, may be a significant difference between this outbreak and WannaCry.
If this attack uses the same vulnerabilities that WannaCry used to spread, or other known bugs for which patches have been available for months, there will be some awkward conversations between IT teams that failed to patch or protect and businesses affected. WannaCry has received far more attention than Heartbleed, and if it is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously.”
Edgard Capdevielle, CEO at Nozomi Networks:
“The most recent attack, according to Ukrainian state power distributor Ukrenergo, targeted IT systems and had no effect on operational systems or industrial control systems”. Critical infrastructure providers worldwide should step up their efforts to ensure proper separation of their IT and OT networks. This is possible by employing advanced anomaly detection systems to detect and remediate any attempts to disrupt ICS operations.
Alan Levine, Former CISO and Current Security Advisor at Wombat Security Technologies:
The Petya attack vector included a primary variant of a simple email: A job application that looked like it came from Dropbox and included a forged Dropbox link. On the surface, this file appeared to be either a photograph of a young man posing as a job applicant – or an executable that displayed an applicant resume in a self-extracting PDF (of course, it was not really a PDF at all).
Dr Guy Bunker, SVP of Products at Clearswift:
Do not pay the ransom once you’ve been compromised and exposed to further attacks. Too often, cybercriminals take the money and then re-encrypt the systems a short time later. The most effective strategy to combat ransomware is to maintain all systems and applications up to date with security patches. Backups are critical since they guarantee that you will not be forced to pay if your data is encrypted.
Jonathan Levine, CTO at Intermedia:
Petya may be able to take advantage of the same weakness in Windows that WannaCry did earlier this year. Ransomware can infiltrate and shut down an entire business through one infected computer. Having a security plan in place that detects viruses in email attachments is now more important than ever.
Vyacheslav Zakorzhevsky, Head of Anti-Malware Team at Kaspersky Lab:
Kaspersky Lab analysts are investigating a new wave of ransomware attacks targeting businesses all over the world. According to our preliminary findings, it is not a variant of the Petya ransomware as previously reported, but rather a new ransomware.
Approximately 2,000 users have been assaulted so far, according to the company’s telemetrics statistics. Russia and Ukraine have been attacked the worst, but there have also been strikes in Poland, Italy, Germany, and a number of other nations. The vector of attack is still unknown.
Kaspersky Lab analysts are investigating a new wave of ransomware attacks targeting businesses all over the world. According to our preliminary findings, it is not a variant of the Petya ransomware as previously reported, but rather a new ransomware.
Approximately 2,000 users have been attacked so far, according to the company’s telemetrics data. Russia and Ukraine have been hit the hardest, but attacks have also occurred in Poland, Italy, Germany, and several other countries. The vector of attack is still unknown.
Phil Richards, CISO at Ivanti:
The Petwrap ransomware is based on an older Petya variant that originated with the GoldenEye malware in December 2016. This malware appears to have been designed to target Ukrainian infrastructure organisations such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers. It demands a ransom payment of $300 USD in bitcoins.
The EternalBlue component allows it to spread throughout an organisation that lacks the necessary patches and antivirus/antimalware software.
This is an excellent example of two malware components collaborating to create more dangerous and resilient malware.”
Robert Lipovsky, Researcher at ESET:
“ESET researchers have begun investigating another massive global ransomware epidemic following the WannaCry and XData/AES-NI outbreaks today, early afternoon (CEST).”
The ransomware appears to be a Petya variant. If it infects the MBR successfully, it will encrypt the entire drive. Otherwise, it encrypts all files, as Mischa did.
“After the WannaCry and XData/AES-NI outbreaks today, early afternoon (CEST), ESET researchers have begun investigating another massive global ransomware epidemic.”
It appears that the ransomware is a Petya variant. If it successfully infects the MBR, it will encrypt the entire drive. Otherwise, it encrypts all files, just like Mischa.
The outbreak appears to have started in Ukraine – Patient Zero – with more information to follow.
The outbreak appears to have started in Ukraine, affecting the financial, energy, and other areas. The extent of the harm to the energy industry is unknown, and there have been no reports of power disruptions, as was previously the case with the infamous Industroyer malware.”
…We have published a blog on WeLiveSecurity.com with additional information about this attack.”
Marco Cova, Senior Security Researcher at Lastline:
The Petya attack looks very similar in its dynamics and techniques to the WannaCry ransomware that caused large disruption just a few weeks ago. It seems to rely on the EternalBlue exploit to automatically spread from one machine to another. This shows that criminal groups are always ready to copy and improve on one another’s techniques once they see that something is effective.
Andrea Carcano, Co-Founder and Chief Product Officer at Nozomi Networks:
Vulnerability in SMB v1 is the same vulnerability that was used in last month’s WannaCry Ransomware attack. Within ICS environments rapid patching can be difficult or impossible. Real-time detection enables operators to take immediate steps to remediate the operational impact.
Michael Patterson, CEO at Plixer:
“Petya is another example that ransomware attacks are on the rise. Rightfully so, they strike fear in IT professionals. They are particularly nasty in their ability to disrupt business and destroy company data. Organizations must have strong data back-up systems and processes in place and they need to have network traffic analytics to monitor for anomalous behavior. Once these ransomware attack profiles are identified. Organizations can reduce risk of infection and spread of infection by monitoring for any traffic fitting the profile, as well as monitoring for any connections out to command and control servers.”
Allan Liska, Intelligence Architect at Recorded Future:
“In terms of the EternalBlue exploit, the worm code appears to borrow heavily from WannaCry, including using the same EternalBlue exploit code to move around once inside the network.” Aside from the EternalBlue exploit, the new attack appears to use WMIC for lateral movement. WMIC (Windows Management Instrumentation Command-line) is a command-line tool for running system management commands on Windows.
Because the payload includes an information stealer, attackers may be able to scrape usernames and passwords from the victim machine and use those credentials to jump from one box to the next, even boxes patched against the Eternal Blue exploits.”
Graham Rymer, Research Associate at University of Cambridge:
“Unfortunately, these types of ransomware attacks are unavoidable; businesses and organisations should always have a plan in place for how to respond to these attacks quickly and efficiently in order to contain the situation.” Firms must take actions such as quickly switching all drives in the system to “read-only” following the attack, essentially preventing the malware from doing real damage.
“Malware detection based on signatures is only effective against known malware. On the first roll of the dice, the attacker will always win. However, as more information about the ransomware becomes available and shared with cyber security experts and businesses, they should be able to create a patch that protects against this specific attack.”
Tristan Liverpool, Director of Systems Engineering (UK&I) at F5 Networks:
Ransomware attacks are raising the stakes by targeting services that people rely on daily, such as healthcare, postal services, and transportation. The reported ransom demand of $300 to unlock the encrypted data appears low, but this will quickly escalate. There is no easy way to eliminate ransomware, but the source must be identified and remedied. More emphasis should be placed on application and data security.
Jean-Frederic Karcher, Head of Security at Maintel:
“This attack demonstrates the rise of ransomware.” Ransomware attacks have tripled from 1000 per day in 2015 to 4000 per day in 2017, with no signs of slowing down. It will be one of the top three malicious software threats to watch out for in the coming year, with ramifications across industries and society. Appropriate security measures, including threat detection, must be implemented to keep businesses, employees, and customers safe.
The spread of ransomware is directly related to its high monetary return on investment. With more valuable information readily available on the internet, hackers are using it to steal, lock out users, and then ransomware back access – all with the goal of a large pay packet at the end.
The primary reason large corporations are targeted is that they have vast amounts of data at their disposal. Hackers can profit from large batches of this personal data on the black market.”
John Safa, Former Hacker, Security Expert and Founder at Pushfor:
“Cyber attacks will not go away.” We can’t rely on human behaviour to keep us safe from them. A single moment of human error can bring down a massive organisation, as the NHS demonstrated. Cyber security is as simple as one person opening one email. Because of the speed with which information now travels from person to person, anything can – and does – spread virally. You have no idea where it has gone or where it is likely to end up.
The issue stems from people sending infected content via email. The only guaranteed solution, such as a prophylactic, is to prevent the infection from spreading in the first place.
It’s time to reconsider how content is distributed. It is possible to share information without sending it (as with our patented technology). Keep information under the control of central corporate security, and it will not spread. Any infected content can be quarantined and pulled to halt its spread.
These massive security breaches are the result of human error. We must stop relying on humans to solve the problem. It isn’t working.”
Graeme Newman, Chief Innovation Officer at CFC Underwriting:
Petya appears to be a new breed of ransomware, causing havoc for businesses all over the world. Early indications suggest that it could cost organisations ten times as much as WannaCry. In terms of its global impact, we’re already seeing claims from the United States, and expect claims from other countries in the coming hours.
Terry Ray, Chief Product Strategist at Imperva:
Ransomware is quickly becoming one of the most profitable types of malware attacks in history. Cybercriminals have discovered how lucrative — and simple — it can be, especially against larger targets. There are several effective ways to defend against ransomware. Data breaches and ransomware attacks share a common meeting point, which is the location of data.
Itsik Mantin, director of security research at Imperva:
Cyber security is increasingly reliant on artificial intelligence and machine learning, according to cyber security experts at Kaspersky Labs. A properly programmed piece of AI software could perform the same preventative and analytical security measures as a member of the IT staff in a fraction of the time.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies:
“It is true that some battleships are still using old Windows versions. In contrast, the Royal Navy recently adopted a specialised version of Microsoft Windows 2000 (“Windows for Warships”) for its fleet. The US Navy, according to some reports, also uses customised and updated versions of Windows XP.
As a result, many ATMs and other industrial systems continue to use obsolete operating systems. When your operating system must deal with unusual hardware, special drivers must be developed. platforms such as Windows XP. This means it contains more security fixes than standard Windows XP because it is an updated version.
Ken Spinner, VP at Varonis:
This attack not only encrypts data for a ransom, but it also hijacks and renders computers inoperable. This type of cyberattack has far-reaching consequences, affecting everything from government to banks to transportation.
According to VirusTotal, only 11 out of 51 endpoint AntiVirus software can detect this strain of ransomware. “The most critical thing for businesses to do to avoid being attacked by WannaCry is to apply Microsoft’s SMB update,” security expert Bruce Schneier says. This includes safeguarding sensitive data, implementing a least privilege architecture, and monitoring file and user behaviour for indications of an attack.
Mike Ahmadi, Global Director of Critical Systems Security at Synopsys:
Ransomware attacks, according to security experts, are now a viable business model in which the risk is heavily skewed in favour of the attacker. Systems remain highly vulnerable globally, and fixes only serve to prolong an attack based on the next vulnerability.
We can expect larger and more sophisticated attacks if vulnerability management and system certification become legal requirements. As things currently stand, digging ourselves out of the nearly bottomless pit of vulnerable code that serves as our infrastructure will most likely take decades.
Peter Carlisle, VP of EMEA at Thales e-Security:
The Petya attack looks very similar in its dynamics and techniques to the WannaCry ransomware that caused large disruption just a few weeks ago. It seems to rely on the EternalBlue exploit to automatically spread from one machine to another. This shows that criminal groups are always ready to copy and improve on one another’s techniques once they see that something is effective.
Cyber security industry must collaborate closely with the government in order to protect organisations from these threats. More must be done to ensure that the international community works collaboratively to establish strong digital defences against the threats posed by hackers who disrupt our daily lives.
Lee Munson, Security Researcher at Comparitech.com:
The discovery of a kill switch and the relatively minor damage done was extremely fortunate, but it should have painted a vivid picture of what could have happened. Financial institutions are typically among the most secure types of business. Petya highlights how staff awareness may still be an issue.
Dan Panesar, VP EMEA at Certes Networks:
“As with the recent WannaCry hack, the truly concerning aspect of the latest cyber-attack, which has brought down IT systems around the world, is its sheer scale.”
“It shows that hackers have complete control of a company’s network once its outer defences are breached.” As a result, there is widespread chaos, with serious consequences for businesses and their customers.
“It highlights the need for a genuine shift in the cyber security mindset.” It is no longer enough to construct cyber barriers and hope that they are not breached. In reality, hackers can and will find a way around. Instead, the security industry must concentrate on containing threats once they have infiltrated the network. They can use cryptographic segmentation to limit the impact and ensure that it does not affect the entire company.
Chris Wysopal, Co-Founder at CTO at Veracode:
“The Petya ransomware appears to be spreading using the EternalBlue exploit, similar to WannaCry.” Because the WannaCry kill switch worked, the pain subsided, and many organisations did not finish patching their Windows.
This appears to be affecting large industrial companies such as Maersk shipping and Rosneft oil. Because so many systems cannot be down, these organisations typically have difficulty patching all of their machines. Airports face the same problem.
When Petya was first reported to VirusTotal, only two vendors recognised it, leaving many machines defenceless if their AV is mismatched.
The WPP website appears to be completely hijacked.
“All systems, including the website, are down.”
Bryan Singer, Director Security Services at IOActive:
Bruce Schneier, a cybersecurity expert, believes we have entered the age of the Industrial Control System (ICS) attack. He claims that , “that can’t happen to us,” and that this will serve as a true wake-up call.
Mark McArdle, CTO at eSentire:
“Finding irrefutable evidence linking an attacker to an attack is nearly impossible, so everything boils down to assumptions and judgment,” Gartner says. “Having visibility into unusual activities going on in a company’s network has never been more important,” they say.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.