Ransomware attack prevention for your company

Another ransomware attack has struck companies - large and small - across the globe, leaving them without a hope of getting their data back. Mike Harris breaks down what this malware does and how you can prevent it from spreading throughout your company's network.

The malware that has been impacting systems across the world since  27 June is known variously as “Petya”, “NotPetya”, “Petrwrap”, “exPetr”, or “Goldeneye”. This malware includes two elements: a propagator and a payload. To date, several attack vectors used to propagate the malware throughout a local network have been detected. It is currently unclear if this is an entirely new malware strain or one built upon old code as it shares some similarities with both the Petya and WannaCry ransomware variants while also using new attack methods unseen before in order to propagate.  

The propagator of this malware is a worm that exploits a vulnerability and allows the malware to move from computer to computer and infect an entire network. It also uses a password capturing technique – enabling it to extract administrator passwords – and uses the ill-gotten passwords and new administrator access to copy itself across the network, infecting shared files, servers and workstations.

The payload of this malware is an encryption program, which locks the contents of a computer and requires a password to access files. The password must be purchased using bitcoin – hence the “ransomware” title. The ransom required for this particular malware is $300 in Bitcoin per device. While a small number of payments were seen to have been made to the Bitcoin account early on 27 June, by that afternoon the email address associated with paying the ransom was disconnected by Posteo. This blocks the attackers from gaining access to the emails associated with the Bitcoin account and makes decryption impossible.

Due to the malware being limited to the local network, it is seen to be less infectious than the WannaCry malware. However, the infection has been identified by Microsoft in over 64 countries with Ukraine and Russia being the worst affected. At time of writing, large organisations, such as Ukraine’s state telecom, the US pharmaceutical company Merck, and the Russian steel and oil companies, Evraz and Rosneft have been hit. 

The spread of this malware and the use of the EternalBlue exploit suggests that many companies may not have implemented sufficient security measures such as applying the relevant Microsoft patch or blocking unnecessary protocols. At time of writing, the Irish operations of three international companies have been affected by the malware.
In order to reduce your chances of being infected, there are a number of concrete steps you can take.

Patching – and where you can’t patch, protect

This malware exploits a vulnerability in Microsoft Windows. Microsoft released a patch that blocks this vulnerability in March 2017. Those organisations that have not yet patched their systems should do so as a matter of urgency.

Not all systems can be patched or kept up to date due to compatibility issues with other programs, licensing concerns, or they are embedded versions. Where this is the case, additional protections should be considered. It may be possible to isolate the affected system to its own network segment, or even completely remove it from the network and physically isolate it. 

Backups and recovery

The most comprehensive security measure for ransomware attacks such as this is a recent, reliable backup. In the event of a ransomware attack, you can scrub your existing systems and restore from backup. It is critical that a recent version of the backup is kept in an offline state in order to protect that backup itself from coming into contact with the malware. This is obviously the “nuclear option” and can cost a great deal in time and resources, however it is the most conclusive defence against ransomware attack.

Firewalls and other controls

While it is unclear how this malware is gaining entry to internal networks, the main attack vector for ransomware is through malicious email attachments. As such, firewall controls and email screening or scanning should be implemented. In order to try and prevent the spread of the malware, it is recommended that administrative tools be restricted in as much as possible. Other potential entry points include emails to your staff or contractors, or via untrusted or backup internet connections.

Incident response

One of the key defences in your arsenal for attacks such as this is your incident response capability. The ability to quickly identify an infection, and to contain and eradicate the infection are key to your organisation’s defences. Incident response should now consider the steps of identification, containment, eradication, recovery and prevention, and consider the reporting requirements that may exist under regulations.

Cyber security awareness

Ultimately, as this issue has clearly demonstrated, cyber security is a clear business risk. Awareness at all levels of the business, in particular the board level, of the cyber security risks and implementation of an appropriate cyber security programme are essential to safeguard your organisation.

Mike Harry is the Partner, Cyber Security Services, at Grant Thornton.