Early last month we held our Annual Security Conference during which we focused on the meteoric rise of ransomware and zero-day threats. Just days later the WannaCry ransomware made a global impact. Yesterday, headlines were made again by the rapid spread of Petya ransomware.
Petya is targeting Windows systems. It is utilizing Eternal Blue, a leaked NSA exploit. The same exploit used by WannaCry. As we discussed at the Annual Security Conference, this wave of attacks isn’t unexpected, and we should expect this to be the new normal.
As a Cerdant customer, we wanted to inform you on what you can do to stay protected. We also want to update you on what we’re doing to protect you as well:
We audit all customer SonicWalls weekly to ensure they have an active Gateway Security subscription (this includes Gateway Anti-Virus (GAV), Intrusion Prevention (IPS), Anti-Spyware (AS), Botnet Filtering, and Geo-IP Filtering). Customers with active subscriptions were updated with signatures for Petya since March 2016. Let us be clear, however, this is only effective for traffic that traverses the gateway that is being scanned. In the case of encrypted traffic, you must be using DPI-SSL.
According to the 2017 SonicWall Annual Threat Report, 60% of web traffic in 2016 was encrypted. Without inspecting this traffic, you are left blind to prevent malware delivered via encrypted channels. Almost all SonicWalls manufactured today can decrypt traffic for scanning by deploying DPI-SSL. Cerdant has a team of engineers that can assist with deployment of this feature as it does require proper management and endpoint preparation.
SonicWall Capture Labs identified Petya variants in March 2016, so the signatures for this malware are known to many vendors. It is critical that all system use AV and are updated regularly. However, legacy signature-based solutions are becoming increasingly ineffective and cumbersome. At Cerdant we now stand behind Cylance as the most effective endpoint solution available. CylancePROTECT has validated protection for Petya using their current models and even older models, both on and offline. Next-Gen AV like Cylance is not signature based and can stop zero-day threats that will surface in the future.
This attack may be delivered via phishing and email spam. Users should know how to check email content for legitimacy, even something simple like hovering over links to see if the URL is reliable. We recommend Proofpoint as an effective email security solution. 65% of ransomware attacks are via phishing emails, so this should be a major focus. Also, be sure to block malicious URLs and domains with Content Filtering.
Critical systems that contain valuable data should be backed up. Petya ransomware encrypts data, making it completely inaccessible. Be sure you also test restores on a regular basis to ensure that data can be retrieved.
Keeping systems and applications patched with updates like MS17-010 is critical. Many known threats can be defended against by following this best practice. We recommend you deploy Capture ATP, SonicWall’s latest service, to discover and stop unknown (zero-day) ransomware variants.
Our team of engineers, IDS specialists, and developers are constantly working to ensure your networks are protected and you are alerted as necessary. Should you have any questions about your current security posture or how it can be improved please contact us.