Petya Ransomware

1
Petya Ransomware

• How To Best Approach This Global Threat

2
Introduction

• The recent cyber-attack caused disruption around
  the globe and has infected companies in an
  estimated 64 countries, including major banks,
  oil and gas organizations, law firms and
  advertising agencies. According to anti-virus
  vendor ESET, 80 of all infections were in
  Ukraine, with Germany second hardest hit with
  about 9.

3
What Is Petya

• Petya is a type of ransomware that was first
  discovered in 2016. Petya mainly targets
  Microsoft Windows-based systems, infecting the
  master boot record to execute a payload that
  encrypts a hard drive's file system table and
  prevents Windows from booting. It subsequently
  demands that the user make a payment in Bitcoin
  in order to regain access to the system.

4
EternalBlue Hack SMB

• Generally, ransomware similar to the previous
  Wannacry attack spread via worms. The worms
  multiply exponentially until they discover a
  particularly vulnerable exploit within an
  organization. One of these is via the so-called
  EternalBlue hack thought to have been developed
  by US NSA developers, which uses an exploit in
  protocol to let computers and other equipment
  talk to each other, known as the Server Message
  Block (SMB).

5
Never Ending Arms Race

• With the Ransomware spreading like wildfire
  across the globe, thousands of companies have
  been scrambling to safeguard their data.
  Microsoft Security Bulletin is recommending
  various security patches that were previously
  released to make sure that Petya Ransomware and
  its variants cannot progress. Additionally,
  Microsoft has provided a guide to help secure
  windows systems against the EternalBlue exploit
  opening up this particular brand of attack.

6
How To Face Petya

• For those that are already facing Petya, there
  doesnt appear to be a way to restore corrupted
  file systems, and no option to pay the ransom,
  because the Posteo webmail address given to pay
  the 300 ransom has been shut down.
• What security leaders should be considering is
  how dangerous it has become to have disconnected
  systems spitting out reports and failing to
  garner actionable intelligence. The ability to
  correlate these alerts in real time, manage cases
  efficiently and respond effectively has pushed
  Security Orchestration to the top of the security
  food chain in recent months.

7
Time For Security Orchestration

• Once we get beyond the immediate patchwork of
  solutions and accept that these attacks will
  continue, we need to think about how to best
  bolster response. Security orchestration allows
  for automation and improved capabilities to
  navigate the full scope of security operations
  and incident response activities from the initial
  alert through to remediation. Simply put,
  context, automation and analyst enablement
  ensures that the disease is cured, not just the
  symptoms.

8
Conclusion

• Having just passed the halfway mark for 2017, the
  threat landscape has now grown to have brought
  some of the largest and most critical global
  organizations to their knees, creating a ripple
  effect throughout world economies with no sign of
  slowing. WannaCry was a small warning in
  comparison to Petya, and if this trend continues,
  the next massive attack could be a tipping point.

9
References

• https//www.siemplify.co/blog/how-to-best-approach
  -petya-ransomware/
• https//www.siemplify.co/demo-request/
• https//www.wired.co.uk/article/what-is-eternal-bl
  ue-exploit-vulnerability-patch
• https//msrc-blog.microsoft.com/2017/05/12/custome
  r-guidance-for-wannacrypt-attacks/
• https//en.wikipedia.org/wiki/Petya_(malware)