As more information emerges from the latest ransomware attack, here is the latest update.
Is this one scary?
On the surface, yes, but only time will tell how far and how badly it spreads. Where Wannacry contained bugs and relied on poorly patched systems NotPetya seems like a weaponised version of the attack and contains some sophisticated methods. The scary thing is it only takes one poorly protected system for it to get in, once in it can utilise sysadmin tools to spread itself through the network with ruthless efficiency @hackingdave reported one organisation saw it infect 5,000 systems in 10 minutes.
Not only is it efficient but its payload is much worse, Wannacry encrypted your files but you still had access to the machine so you could unlock them with help. NotPetya encrypts the whole drive which means you won't be able to start the machine. Whilst Wannacry infected machines running older versions of Windows once NotPetya is in the network, it can affect machines running any version. Currently once you have been successfully attacked the only way to recover is from a backup.
This morning our security team released an Advisory with the following:
Overview
The ransomware has reportedly been delivered via an infected software patch from a Ukrainian tax software package. The exact method used globally has not yet been identified, however it is suspected that it is being spread via email through malicious attachments such as Word and Excel files. The attack is a modified version of the May outbreak of WannaCry and uses the same attack vectors and vulnerabilities in SMBv1 for initial infection.
It is recommended that all users follow the information outlined below to ensure that their systems do not fall privy to this attack.
This attack also requires a restart of the infected host before files are encrypted. It is recommended that any user who sees the below screens immediately shuts down their computer and contacts their IT professionals.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
> CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147
> CVSS v2 Score: 9.3 High
> CVSS v3 Score: 8.1 High
Resolution
> Microsoft has released a security patch as of March 14th 2017 addressing this vulnerability. Ensure all servers and endpoints have received up-to-date security patches.
> Microsoft has released a security patch as of March 14th 2017 addressing this vulnerability. Ensure that all servers and endpoints have received up-to-date security patches.
> Latest Microsoft security updates can be accessed here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Disable SMBv1 via group policy by following the steps outlined in the following Microsoft link: https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
> Audit usage to ensure no services are currently using SMBv1: https://blogs.technet.microsoft.com/ralphkyttle/2017/05/13/smb1-audit-active-usage-using-message-analyzer
> Ensure all backups are up-to-date
> Should you be infected, do not pay the ransom as it will not unencrypt the file: the email address has been shut down so noone can receive the key to unencrypt.
-- end of Advisory --
What to do if you have been attacked?
If you know or suspect you have been infected the first call of action is to shutdown that machine and any connected machines and then contact a trusted source for advice. Due to NotPetya's speed of attack this has already been seen with several global companies taking the drastic approach of shutting down all Windows machines once a breach has been detected.
Is this the end of times?
Attacks like this are scary and they have major impacts to affected companies the simple fact remains that good hygiene can protect you. Regular patching across ALL your machines, good security practices and frequent backups are all a solid defence.
