Victims of the latest ransomware attack posted photos like this across social media. For the second time in as many months, hackers today are unleashing a massive multinational ransomware attack that has crippled a host of networks across the western hemisphere. The attack appears to have begun sometime Monday, with the hardest-hit targets comprised of Ukranian infrastructure, including power companies, airports, banks, state-run television stations, postal facilities and large industrial manufacturers.
Also affected were foreign operations of U.S. pharmaceutical firm Merck, advertising conglomerate WPP, French building materials vendor Saint-Gobain, Danish shipping giant AP Moller-Maersk and Pittsburgh, Penn.-based Heritage Valley Health Systems. The as-yet-unidentified hackers appear to be demanding payments of $300 (USD), and as of midday on the east coast of North America, the attack was said to still be spreading.
The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016, Phil Richards, chief information security officear for IT services firm Ivanti – formerly LANDESK – said in a statement. The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017.
The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record, he added. The EternalBlue component enables it to proliferate through an organization that doesn t have the correct patches or antivirus/antimalware software.
This is a great example of two malware components coming together to generate more pernicious and resilient malware. Early last month, a similar ransomware campaign, also using the EternalBlue exploit purportedly stolen from the NSA s cyber weapons toolkit, resulted in more than 200,000 attacks across 150 countries.
That attack, dubbed WannaCry, also involved demands for $300 in bitcoin digital currency.
This is the same EternalBlue exploit that WannaCry used, said Allan Liska, a cyber security analyst at threat intelligence software vendor Recorded Future. It also has a secondary capability: There s an information stealer that is bundled in this attack.
In addition to doing the ransomware, it s also stealing credentials, he went on. If it can t use the EternalBlue, it s taking the stolen credentials from that box and jumping to another box in the network to try to copy the ransomware over that way. Liska, co-author of the November 2016 book Ransomware: Defending Against Digital Extortion, said the new attack reflects a series of sophisticated improvements to the malware used last time.
Last month was just the EternalBlue, he said. This is the attack where all the security experts last time were saying good thing they didn t do that.
This is the stuff that WannaCry left off, Liska continued. It s added additional capabilities and made it much easier to spread around networks even those that are fully patched. Still, for IT managed services providers (MSPs), protecting clients still largely boils down to a thorough and consistent patching regimen, and user education.
Also, Liska recommends locking down systems to prevent the running of administrative commands from too many workstations.
Those should be locally locked down, he said. As an MSP, that s where you can help their customers architect their networks to be more secure.
We need to start teaching system admins that if you need to run those commands, do them from your desktop and target to workstations that you re troubleshooting.
As with WannaCry, Liska expects this attack to diminish in scope and intensity during the coming days, with only occasional flare-ups of the malware popping up from time to time.
That s the problem with the worm, he said. We re still seeing WannaCry running around but we re seeing less and less of that. That s what I think will happen here.
Send tips and news to .
Cyber security software vendor Symantec today emerged as the only known western technology company to publicly refuse Russian government access to source code for its security products. IBM, Cisco, Germany’s SAP, Hewlett Packard Enterprise and McAfee are among the firms that allowed Russia to conduct source code reviews of products, including firewalls, anti-virus applications and other encrypted software, according to a new investigative report from Reuters. The reviews intended to protect Russia against cyber espionage are conducted by the country s Federal Service for Technical and Export Control (FSTEC), and the Federal Security Service (FSB), successor to the KGB and the agency blamed for attacking the 2016 U.S. Presidential election.
Such code reviews are aimed at protecting the country from cyber espionage.
But those inspections also provide the Russians an opportunity to find vulnerabilities in the products source code, Reuters reported, citing current and former U.S. officials and security experts. As IT services providers sell and employ increasingly sophisticated solutions to combat an expanding array of cyber security threats, this report suggests those efforts could be at-least somewhat undermined by software vendors desire to cash in on substantial revenue opportunities in Russia. The Russian IT market is projected to be worth $18.4 billion in 2017.
In a stark rebellion, Symantec officials said that company has refused to submit to the reviews and acknowledged they re prepared to absorb the impact to their top line.
In the case of Russia, we decided the protection of our customer base through the deployment of uncompromised security products was more important than pursuing an increase in market share in Russia, spokeswoman Kirsten Batch is quoted as saying. Code inspections are performed by independent software firms, some with ties to Russian military intelligence or defense agencies, the investigation found. One such company, Echelon, is used by IBM.
But Symantec officials decided the lab “didn’t meet our bar” for independence. The company refused to allow the review, thus disqualifying it from selling business products in Russia.
It poses a risk to the integrity of our products that we are not willing to accept, Batch, the Symantec spokeswoman, told Reuters. There s discrepancy about where the source code reviews are conducted, with the tech companies saying they conduct the reviews in safe rooms at their own facilities, where nothing can be copied or exfiltrated.
But in at least one case that of IBM, the FSTEC posted documents claiming the testing was done at a firm located 20 miles outside of Moscow.
The article noted there is no evidence that the software code reviews have resulted in an actual hack and that other nations including China and the U.S. also conduct source code inspections for some products.
Send tips and news to .
Question: We get this question frequently. Assuming a ransomware attack makes it through any protection in place, what are the best options for early notification of the encryption activity?
Answer: Today, cyberattacks are so frequent and sophisticated that endpoint defenses without access to broad, instant, and actionable security intelligence simply aren t good enough.
Ransomware authors are pivoting their attacks from individuals to government agencies and health care institutions, creating serious threats to public safety.
Historically, crypto ransomware targeted individuals and encrypted their personal data and files as a small-scale extortion scheme. However, as the recent WannaCry attack proves, cybercriminals now indiscriminately target businesses and government agencies with the goal of large financial gains and this can cause much more widespread disruption. Without intelligent next-generation endpoint defenses in place, organizations are at risk of getting more regular infections and remaining ignorant of a potential breach until it s too late.
Once your system is infected with ransomware, your options are very limited: pay or don t pay. And trust us, you ll know if you re hit with ransomware. It is designed to launch immediately.
To avoid having to choose between these options, organizations must perform regularly scheduled backups of all important data, and have the backup drive stored off-network when not in use. Depending on the type of ransomware, there may be other actionable steps organizations can take, but of course, preventing it from occurring in the first place should be top of mind for any organization. In today s threat landscape, effective endpoint ransomware prevention requires continuous monitoring of every individual endpoint and an immediate response to anything new or unexpected occurring on any device.
Infection dwell times of days, weeks, or months are unacceptable, as are forensics and audits that can detail the kill chain but are unable to break it. The goal of all endpoint security is to mitigate attacks. However, understanding one set of attack vectors will no longer let you stop the next attack.
Threats and attacks are too variable, polymorphic, and unpredictable.
Proactive mitigation, real-time visibility, and an immediate response are the only real defenses.
Ask a Security Expert is an occasional feature. Send tips and news to .