Ransomware beyond WannaCry and Petya

by Justin Peters, Technology Solutions Director for APJ, Sophos

As the world was still reeling from the global WannaCry attacks, many businesses in Europe and the United States were hit by the recent Petya malware outbreak.

Justin Peters, Technology Solutions Director, Sophos
Sophos researchers have found similarities in the way both ransomware was spread, along with some key differences. Although the researchers found no internet-spreading mechanism like WannaCry utilised, Petya spread through internal networks using the same Eternal Blue/Eternal Romance exploits used in the WannaCry attack. This exploit targets vulnerabilities in the Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks.

In cases where the SMB exploit fails, Petya will attempt to spread using a tool known as PsExec, which allows users to run processes on remote systems. This means that an infected machine can easily spread malware to other machines that have the SMB patch, enabling cybercriminals to infect other computers with the Petya ransomware.

Over the last five years, the industry has become used to seeing malware distributed through email phishing campaigns. This approach to initiate an attack relies upon tricking the recipient to click on a link or attachment. In that way these attacks require user intervention. However today, cybercriminals are using advanced tools and techniques to propagate malware in a worm-like manner, without relying on phishing attacks or user intervention.

Using the types of exploit techniques available today, cybercriminals will continue to target Windows users, while also exploring attacks on other platforms including Linux servers and Mac.

Another rising concern is mobile ransomware. Last year, SophosLabs analysed more than 8.5 million suspicious Android applications. More than half of them being either malware or potentially unwanted applications, including poorly behaved adware.

With new ransomware variants being introduced rapidly, businesses remain at high risk of infection if they do not take the appropriate steps.

Recommended defensive measures:
  • Ensure systems have the latest patches including the one in Microsoft’s MS17-010 bulletin
  • Only allow applications that you require for your day to day work to run on your computer. This reduces the attack surface and limits the number of patches you will need to deploy to keep your systems from being exploited. As an example, consider blocking the Microsoft PsExec tool from running on users’ computers. This tool is used by IT engineers and administrators not regular users. A version of this tool is required for one of the techniques used by Petya to spread automatically. A product like Sophos Endpoint Protection can be used to block PsExec
  • Back up regularly and keep a recent backup copy off-site. Encrypt your backup so you do not have to worry about the backup device falling into the wrong hands
  • Avoid opening attachments and clicking on links in emails you weren’t expecting or from recipients you do not know.
  • Download the free trial of Sophos Intercept X. For non-business users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorised encryption of files and sectors on your hard disk.