With news of WannaCry in the distant past, a new cyber attack, Petya, has invaded systems across the globe. Petya has officials questioning whether or not the attack’s true intention was to generate money via extortion, or if the target was actually aimed at harming key businesses, specifically those based in Ukraine.
The virus began in Russia and Ukraine last Tuesday then spread to Asia, and subsequently, over 60 countries across the globe. Petya also hit hard in the United States, with reports of major outages still ongoing on July 1 in some major corporations nationwide. According to Craig Williams, senior technical leader and manager of Cisco Talos, the industry-leading threat intelligence organization dedicated to providing protection against cybersecurity attacks, Petya is “significantly worse, significantly more virulent” than its cousin WannaCry. Talos has identified Petya as a malware variant of the attack which occurred in March 2016 and because of its difference from the original attack in March, are dubbing this version “Nyetya.”
This attack is so different from previous ones that cybersecurity researchers have determined it is not even ransomware, but rather a piece of “wiperware” designed to wipe data from infected systems. So, what’s next for businesses concerned about Petya? While no one can ever truly predict when an attack will occur, Talos recommends the following steps for organizations looking to protect IT resources from similar future attacks:
- First and foremost, customers who have not yet already applied MS17-010 need to do so immediately. Given the severity of the vulnerability and the widely available tools that exploit it, leaving this vulnerability unpatched is unwise.
- Ensure you have anti-malware software deployed on your systems that can detect and block the execution of known malicious executables.
- Implement a disaster recovery plan that includes backing up and restoring data from backup devices kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying a ransom.
- Disable SMBv1, if possible, on networks and move to a more updated version of SMB. (SMBvs was introduced with Microsoft Vista)
- Organize your networks in a number of well-defined logical segments, and allow access to networks in a number of well-defined logical segments. Limiting access to network assets only to those users and systems within a segment may help with containing outbreaks of self-spreading worms such as Nyetya.
To learn more about Nyetya, please access the webinar recording of Martin Lee, technical lead on Cisco’s Talos threat research team.
The Comstor Security Initiative (CSI) program can help to ensure you’re prepared for these types of attacks. Contact the CSI team today at 303-222-4887 or firstname.lastname@example.org to find out more.