On Petya, Deju Vu and Good Security Hygiene

As Yogi Berra famously said, “It’s déjà vu all over again.”

That’s certainly how many IT and security practitioners feel right now as yet another wave of ransomware attacks hit organizations throughout Europe and the United States yesterday.

In quick review, this current ransomware attack, dubbed Petya (aka, PetrWrap) by many, appears to potentially be an updated version of attacks that hit earlier this year. Petya also relies on the identical Eternal Blue exploit that powered the WannaCry ransomware attacks that struck just last month. As it is ransomware, systems are encrypted shortly after infection and the attackers demand a ransom be paid. The attack swept through government agencies, small businesses, healthcare providers, and multinational corporations just as WannaCry did.

You see, it really is déjà vu all over again.

Fortunately, Petya doesn’t seem to be spreading as widely as WannaCry did. This could be because so many enterprises (thankfully) patched the Microsoft vulnerability detailed in CVE-2017-0144.

But there is a catch: not everyone seems to have patched CVE-2017-0144. And once a system is infected (perhaps through a phishing attack) Petya is capable of infecting other systems on internal networks. And once having infected a system with administrative privileges, Petya steals those credentials and then uses them to infect nearby systems. That attack is happening by exploiting Microsoft’s PsExec and Windows Management Instrumentation. This is why Petya hit some organizations so hard.

As is the case with all ransomware, once a system is successfully infected it is encrypted and is rendered useless unless the private key is made available, usually through a ransom payment. Sometimes victims are lucky to have ransomware defeats uncovered that can restore the system.

Good Security Hygiene
How does an enterprise avoid this fate? The simple answer is maintaining good hygiene. By simply patching, avoiding unnecessary endpoints with administrative privileges, having backups, and similar steps, many organizations could have avoided the pain of PetrWrap complietely or significantly reduced it. But as I wrote in our post Poor Cloud Security Hygiene Catches Up with Enterprises, this is something enterprises have a hard time doing.

If attacks made possible as a result of poor hygiene sounds familiar, that’s because it is eerily similar to the Elasticsearch, Hadoop, and CouchDB attacks we reported  on earlier this year. When it comes to poor cybersecurity hygiene, it certainly does seem every attack is also a case of déjà vu all over again.

What should enterprises do? There’s nothing different in avoiding this malware than most any malware or ransomware attacks: enterprises should patch, they should run good security defenses, segment networks, and make sure systems are always running in compliance to security and regulatory policies. That’s good hygiene.

Patrick Flanders wrote in his post Everyone is talking about ransomware, but what are you doing about it?  “Ransomware is effective because it uses the path of least resistance to find an opening. As code and a programming function, ransomware is not terribly complex, nor does it need to be. To achieve its goals it just needs access and there are a surprising number of access points that, if not adequately protected, are easily hacked.”

These easily breached points of entry, more often than not, exist on traditional on-premises networks and within cloud systems alike. And enterprises that aren’t engaged in good cybersecurity hygiene will find themselves reliving that uncomfortable experience of being breached over and over again.

About George Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. For five years, Hulme served as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

More posts by George

Tags: , , , , ,