Cyber security training

NotPetya: Even if you weren’t compromised, things to consider


Richard Beck | 28 June 2017

Yesterday saw another global Ransomware attack hit the headlines. Named NotPetya, within the security community, due to this sophisticated malware masquerading as an existing Ransomware variant (Petya) from 2016. Behaving like most Ransomware attacks and initially considered a new strain of WannaCry, by those hasty for headlines, due to the combination of previously used (and patched) exploits within its payload.

Financial reward is not the primary goal associated with this attack. In reality, this was a destructive malware attack, launched in Ukraine via multiple attack vectors (a compromised software update and the low cost Phishing emails) with sophisticated deniability i.e. behaving like Ransomware. We know that the cryptocurrency Bitcoin demand for $300 and the single wallet and email payment mechanism was much less sophisticated than the typical ‘ransomware as a service’ created and distributed by organised cyber-crimes groups.

Like most destructive attacks over the last few years, the soft target is the Master Boot Record (MBR), a small file vital for booting your Windows operating system. The NotPetya payload exploits the MBR to encrypt the Master File Table after 1hr on the host machine. This process is disguised as a CHKDISK routine, only up to this point (prior to the reboot) are your files are recoverable! During the 1hr time bomb this malware will move laterally across your network via legacy network protocol taking advantage of an old exploit, unless patched. It can also spread via a Windows administration function PsExec to default admin$ shares, even on patched machines, stealing local admin credentials.

Things to consider; it’s highly likely that further combinations of destructive malware notwithstanding ransomware variants will utilise this modus operandi in the future.

NotPetya specific,

  • Create a file call perc in the C:\Windows folder and make it read only
  • Protect your Mast Boot Record (MBR) with an Open Source MBR filter from Cisco Security
  • Sure you are not infected, look for two rundll32.exe files running on your machine
  • Consider preventing your machines from rebooting following a system crash
  • Apply the Windows patch released on the 14th March (this will not help those machines already compromised)
  • Prevent this type of malware from communicating on your network, block inbound traffic on SMB (ports 139, 445).
  • Consider disabling PowerShell
  • Review the need for local privileges admin accounts for peer-to-peer infection vectors

Best practice guidance:

  • Review your backup strategy, back up your data and key platforms regularly. If you become a ransomware victim, restore your files from a backup instead of paying the ransom
  • Test your backup process. Practice recovery of backups and enterprise data centric platforms, which are at high risk to you
  • Install patches and updates immediately, subject to your patch testing processes. Many victims of ransomware are using outdated or unprotected operating systems
  • Install strong anti-virus and anti-malware software and keep it updated with the latest virus and malware definitions
  • Educate your staff about Cyber hygiene and Phishing awareness, they will be the gateway for a future cyber-attack on your business
  • Take care when clicking links in emails
  • Exercise extreme caution when opening any email attachment. Think before you click!
  • Take an extra moment to check unexpected emails you receive — even from trusted sources.

Related blogs

NHS Cyber attack

What should you be doing to protect yourself against WannaCry Ransomware?

10 practical Cyber security tips for your business

To catch a phish

How secure is your password?

Protecting your online footprint

Who is responsible for Information Security?

 

Richard Beck

Director of Cyber Security

Richard Beck (CISSP, CISM, CISA) is Director of Cyber Security at QA, responsible for the entire Cyber Security portfolio across the four QA divisions. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for four years at Arqiva, who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts at CPP, GEC, Pearson and the Royal Air Force. Richard sits on a number of security advisory panels including IBM, BCS and EC-Council and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). Richard is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.