Indian organizations must take specific steps to help mitigate the latest global ransomware outbreak, security experts warn.
The malware, known as "NotPetya" - aka SortaPetya, Petna, ExPetr, GoldenEye and Nyetya - includes some components of previously seen ransomware called Petya (see: Massive Malware Outbreak: More Clever Than WannaCry).
Indian security experts continue to urge more firms to improve their network hygiene and begin monitoring their networks for signs of intrusion and to spot signs of lateral movement.
"Given [that] a similar attack had the security community scrambling just months ago, this attack should fall in the realm of 'problems we've seen before,'" says Sahir Hidayatullah, CEO and co-founder at Mumbai-based security firm Smokescreen.
But that does not mean Indian organizations are prepared. Indeed, Indian security experts continue to urge more firms to improve their network hygiene and begin monitoring their networks for signs of intrusion and to spot signs of lateral movement. Too many organizations also fail to rapidly apply security updates.
Here's yet more evidence: Multiple Asian organizations have fallen victim to NotPetya, and many more remain at risk (see: Global Malware Attack: The Impact in India, Asia).
"If practitioners keep taking action post-facto every time something like this happens, life will become rather tedious for the modern CISO," Hidayatullah says, advocating instead that firms focus on proactive action.
Ransomware Uses Legit Utilities to Spread
Battling NotPetya is complicated by the malware - as with WannaCry before it - exploiting the same "EternalBlue" vulnerability - targeting the server messaging block or SMBv1 flaw, for which Microsoft has released a patch - MS17-010 - for all versions of Windows. Experts, however, caution that NotPetya doesn't only rely on computers that are vulnerable to EternalBlue to spread.
Indeed, NotPetya has some clever functionality, which lets it infect even systems that have the MS17-010 patch, by using Windows Management Instrumentation (WMIC) - a legitimate Microsoft toolset used to manage multiple windows systems - and a Sysinternals remote access utility called PsExec , says KK Mookhey, principal consultant and founder at Network Intelligence, a Mumbai-based security consultancy.
WMI is enabled by default in Windows, while PsExec allows applications to be remotely run.
Thanks to using built-in Windows functionality, "the vector to spread the infection is more effective and therefore more damaging" than the average piece of malware, Mookhey says. "Even if there is one system on the network that is unpatched and gets infected, the malware then rides on the legitimate credentials of that system to infect other systems in the network."
NotPetya does this by dumping credentials from the memory of an infected system and then uses them to spread on the network through the WMI and PsExec tools, security experts say (see Teardown of 'NotPetya' Malware: Here's What We Know). This lateral movement using valid user credentials and trusted access paths means a large number of organizations - not least in India - might not be able to stop the spread or even detect it as being malicious, until systems have been infected and wiped (see Latest Ransomware Wave Never Intended to Make Money).
Mookhey says while many organizations in the region patched against the EternalBlue exploit in the aftermath of WannaCry, the high rate of NotPetya's spread is likely due to one or more unpatched systems getting exploited and then spreading the infection using WMIC and PsExec.
As a result, Mookhey believes the fallout from NotPetya may be even worse than the WannaCry campaign.
Indian Organizations: Please Start Here
Based on my conversations with multiple Indian security experts, here's their takeaway "must do" guidance for organizations responding to NotPetya:
- Offline backups remain the only truly effective mitigation technique;
- Patch all systems for MS17-010, disable SMBv1, and update all anti-virus suites with signatures for Petya;
- Prevent TCP traffic on port 445 from crossing borders in or out of the environment, and segregate networks;
- Block WMIC and PsExec to whatever extent possible;
- Set different local administrator passwords for systems by using something such as Microsoft's Local Administrator Password Solution (LAPS);
- Disable ADMIN$ shares - or administrative shares on Windows systems, which allow for administrator remote access - if you aren't using them.
What About a Kill Switch?
Amit Serper, a security researcher at cybersecurity firm Cyberreason, discovered that creating a read-only file under "C:windows" called perfc.dll can prevent PCs from being infected by NotPetya. This file acts like a temporary kill switch for any PCs that have not been infected. Security researcher Matthew Hickey, aka Hacker Fantastic, has confirmed that the temporary kill switch works, but it's not clear if it would be easily and reliable enough for enterprises to deploy.
Petya killswitch from @0xAmit must match name of the spreading DLL - perfc.dll, providing it matches it'll prevent infections.— Hacker Fantastic (@hackerfantastic) June 27, 2017
Real Fix: Long-Term Thinking
Those are immediate, short-term fixes. But over the long term, many experts believe that perimeter-centric, layered defense must be bolstered by improving network visibility and awareness, not least to fight attacks that use trusted credentials and legitimate access vectors. "This won't just a question of tooling, process or budgets, but that of mindset - most organizations are convinced that layered defense alone is enough," Hidayatullah says. "However there is no substitute anymore for internal visibility, and wire-speed response for fighting such attacks in environments that are getting increasingly complex."