The global reach and considerable impact of the current Petya ransomware outbreak bears remarkable similarity to the WannaCry attack of just a few weeks ago. This outbreak should serve as another wake-up call for organizations and governments around the world.
At Mimecast our first priority is to help protect our customers from the latest threats. Our services help protect email which has traditionally been the primary attack route for ransomware as well for many other forms of cyber threats. There have already been reports of Petya being distributed via email (using the source email of email@example.com and includes the attachment Order-20062017.doc). However, examples have also revealed that the Petya ransomware is also spreading over local networks and the internet by abusing the Server Message Block (SMB) protocol weaknesses that reached notoriety with the recent WannaCry attack.
This blog is designed to provide insight as well as help all organizations complete a review of their network and email security, backup and business continuity systems and processes.
We are also providing additional insights in this blog into how to make configuration changes to ensure your Mimecast Targeted Threat Protection solution is optimized. As many of you already know, a comprehensive “defense-in-depth” strategy is the best approach for the mitigation of current and future threats of ransomware and for many other types of attack.
Every organization must ensure its IT systems are regularly updated. Microsoft security updates are released on the second Tuesday of each month (Patch Tuesday).
Microsoft released a security update back in March which addresses the vulnerability that Wannacry exploited and that Petya also appears to exploit. For those organizations who have not yet applied the security update, you should immediately deploy Microsoft Security Bulletin MS17-010.
If you are using a legacy, now unsupported version of Windows, you should consider upgrading immediately. However, if this is impossible in the short term, Microsoft has taken the unusual measure of releasing a security patch that can buy you time to upgrade your operating system.
Good security practice dictates removing or disabling unnecessary network services to reduce the potential attack surface.
Since Petya has spread quickly by abusing vulnerabilities in the Server Message Block network protocol this should be an area of immediate focus.
Unless you have a very good reason not to, disable the SMBv1 protocol on your network, while also ensuring needed SMB services cannot be directly accessed from the internet. Also, disable or block other legacy protocols on your network that you are not using. Leaving them available leaves them available for malicious actors to leverage.
For customers of Mimecast Targeted Threat Protection, we advise a number of configurations:
URL Protect - configure a policy in line with our best practice guide in Mimecaster Central. Ensure a policy is applied to all users. Rewriting all URLs in inbound emails to scan for unsafe content at time-of-click is the best approach to preventing inbound URL-based phishing attacks.
Attachment Protect – configure the “Safe Files” option for all users to ensure all inbound Microsoft Office files are converted to a safe and thus benign format. Since it has been reported that the Petya ransomware has been delivered via phishing emails pretending to provide a resume which is, in fact, a malicious dropper, automating your defenses against malicious attachments is critical.
For users who require access to editable documents, ensure Attachment Protect’s on-demand sandboxing is configured. Refer to the best practice guide in Mimecaster Central for details on how to set this up.
Internal Email Protect – this service provides protection for emails with URLs and attachments in both outbound emails and also those sent internally from another internal address. To the extent that attackers use email to spread their attack internally, this service can help to defend against that. Ensure policies are applied to all users and ensure remediation capabilities are enabled to get rid of malicious emails from both senders and receivers. Refer to our best practice guide for configuration recommendations.
For Mimecast customers using Mimecast’s secure email gateway without Targeted Threat Protection, we advise using the most up to date attachment management definition. This in conjunction with the Suspected Malware policy has the ability to hold Office files containing macros and thus provides another layer of detection but does not provide the level of sandboxing provided by Attachment Protect.
Mimecast’s ARMed SMTP (Advanced Reputation Management) combines malware, reputation, and anti-spam checks to reject unwanted email. This service is continually updated to defend against email-borne attacks originating from suspect senders.
DNS authentication capabilities such as DKIM and SPF can also help stop attackers from spoofing or hijacking the email domains of trusted senders, thus effectively taking away one method attackers use to fool their intended victims. DMARC also adds an extra layer of spoofing defense.
To learn more about Mimecast’s DMARC implementation and DNS Authentication policies please check out this document in Mimecaster Central community.
Data backups and business continuity
Preventive measures alone can’t keep up with the fast-evolving nature of ransomware attacks, and as this attack highlights, there are many ways for an infection to enter and spread throughout an organization.
It’s vital that your organization regularly backup critical data and ensure that ransomware cannot spread to backup systems. Ransomware can take time to encrypt large volumes of files, particularly across a network share. It is imperative to ensure your back-up window is long enough to go back before any infection began and that the backups themselves are immutable once written.
Backup & recovery measures only work after an attack, and cost organizations in downtime and IT resources dealing with the attack and aftermath, so clearly, effective prevention is always a preferred strategy.
Organizations also must be able to continue to operate during the infection period and recover quickly once the infection has been removed. This is why continuity services are also a critical part of a ransomware defensive strategy.
Should firms ever pay a ransom?
We advise organizations never succumb to the pressure to pay the ransom to regain access to their applications and data.
There is no guarantee that cybercriminals can or will unlock files and payment only further motivates and finances attackers to expand their ransomware campaigns.
The key advice for a ransomware defense is to always be in a position where you don’t even need to consider paying the ransom.
If you need advice on how to configure Mimecast’s security services, please contact us. We’ll gladly walk you through best practice methods to stop ransomware and other malware attacks.
For Mimecast customers not currently using Mimecast Targeted Threat Protection, we are fast-tracking consultation and on-boarding to help you put the right measures in place for this attack, the next attack, and the ones that will assuredly come after those.
You can get in touch with us by email via firstname.lastname@example.org