Multiple sources are reporting that a ransomware attack is quickly spreading throughout Ukraine, Spain, and the United Kingdom targeting government and commercial entities. Recent reports indicate that prominent U.S. law firms have also been affected.
Early reports indicate that the ransomware is spreading either via phishing attacks leveraging common malicious attachment types (i.e., .scr, .bat, and macro-enabled office documents) or, more likely, via the same Windows SMBv1 vulnerability that was responsible for the recent WannaCry ransomware spread. Recent reports of infected firms include prominent US law firms.
The new variant, Petya ransomware, is different from most malware in that it doesn't encrypt files on a targeted system individually. Instead, it encrypts the hard drive's master file table on victims' computers and replaces the master boot record with malicious code that displays a ransom note.
For more information, see: http://thehackernews.com/2017/06/petya-ransomware-attack.html
ACA Aponix Guidance
ACA Aponix recommends taking the following precautionary measures:
- Ensure spam filters are configured to block .scr, .bat, and macro-enabled Microsoft Office documents.
- Apply the latest security updates from Microsoft and install future updates as soon as they are released.
- Disable SMBv1 via Group Policy Objects (GPO), if possible.
- Block port 445 using a hard firewall rule, in addition to blocking third parties with direct network access from port 445 access, to prevent the worm from tunneling from a partner's network.
- Disable remote desktop on internal machines (RDP), if possible.
- Configure IDS and IPS systems to look for the signatures provided by the FBI, CERT, and other authorities relevant to WannaCry.
- Do not open attachments in emails from senders you don’t know.
- Block inbound Microsoft Office document attachments that contain macros; and
- Enable the "Show file extensions" option on your computer. This will make it much easier to identify malicious files. Do not open files with extensions such as ".exe," and ".vbs."
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.