Only six weeks after WannaCry, a similar type of ransomware has hit organizations and spread globally. Petya has mostly affected companies in Ukraine, but has also struck organizations in 64 other countries, including major companies in the U.S., such as Merck & Co and Mars, Inc. Experts are still working to understand Petya and its mechanisms of action, and no kill switch has been discovered yet. However, there are a few basic precautions announced by our partner Radware that your company or organization should take at a minimum to stop the spread of ransomware and other viruses.
1. Do not pay a ransom!
Whatever you do, don’t pay the ransom. The ransom demanded from Petya ransomware is $300 bitcoin. It has been confirmed that the contact email address provided to confirm ransom payments has been shut down, and so it is impossible to communicate with the attackers in an attempt to recover encrypted files. Furthermore, experts are now saying the whole point of Petya was likely to interrupt business and wreak havoc, not extortion. Read more about why you shouldn’t pay a ransom in our blog post, “Ransomware & Ransom DoS: 4 Reasons You Shouldn’t Pay.”
2. Use backups for quick restoration.
Backup your critical data often on a separate system in separate locations so that you can restore files that have been corrupted as quickly as possible. It’s also a good idea to take volume level snapshots often and store them for longer periods of time. Read about Managed Backup for more information.
3. Patch Microsoft CVE’s MS-17-010.
This critical security update for Microsoft Windows SMB server was published on March 14. According to Microsoft, the update “resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
4. Update AV and IPS malware signatures.
Follow best practices and make sure your anti-virus (AV) and Intrusion Prevention System (IPS) signatures are current and set to auto-update. In order for your IDS/IPS devices to be effective, they must be updated with the latest threats. Monitoring these devices and keeping them current can be burdensome for in-house staff that have other responsibilities. If this is the case, contracting IDS/IPS as a managed service is the best course of action.
5. Block port 445 for external communication.
A significant number of bots and worms use port 445 to scan and exploit other systems. The United States Computer Emergency Readiness Team (US-CERT) recommends blocking “all versions of Server Message Block (SMB) at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.” This would have prevented WannaCry and is one known way that Petya penetrates a network.
6. Implement private vLANs.
Private vLAN is a type of networking also known as port isolation. Implementing vLAN involves configuring your network switch so internal traffic only goes from endpoints to the servers (and back), and not between endpoints.
Is your team too busy to properly assess your network for vulnerabilities? Contact us for a network assessment.
*Source: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/petya-petrwrap/