FBI Cyber Division issued a flash alert via the InfraGard network of a possible new ransomware attack modeled on last week’s Petya attack. According to the flash, there are reports of organizations in the United States, France, India, Russia, Spain, Ukraine and the United Kingdom being impacted.
None of this is new. This type of attack is modeled after threats identified is 2016 and patched in March of 2017. They key to preventing a current infection is a layered defensive perimeter and user awareness.
The following recommendations come straight from this flash and are worth reviewing:
Recommended Steps for Prevention
Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
Have regular penetration tests run against the network no less than once a year and, ideally, as often as possible/practical.
Test your backups to ensure they work correctly upon use.
Recommended Steps for Remediation
Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
Defending Against Ransomware Generally
Precautionary measures to mitigate ransomware threats include:
Ensure anti-virus software is up-to-date.
Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
Only download software – especially free software – from sites you know and trust.
Enable automated patches for your operating system and Web browser.