Following closely on the heels of WannaCry, a new ransomware variant known as Petya began sweeping across the globe, impacting a wide range of industries and organisations including critical infrastructure such as energy, banking, and transportation systems. FortiGuard Labs sees this as much more than a new version of ransomware. Rather it is representative of a new wave of multi-vector ransomware attacks that Fortinet is calling “ransomworm”, which takes advantage of multiple, timely exploits. In doing so, ransomworm is designed to move swiftly across multiple systems on its own, rather than staying in one place or requiring end user action.
Security Recommendations
Fortinet advice for organisations seeking to protect themselves from this malware include:
IT Department
- Back up your critical systems’ files, and keep that backup offline
- Ensure you have a ‘gold standard’ operating system disk and configuration, to allow you to reconstruct your desktop with confidence
- Patch
- Check the currency of your patches.
Users
- Don’t open attachments from unknown sources.
Security Operations
- Push out signatures and AVs
- Use sandboxing on attachments
- Use behavior-based detections
- At firewalls, look for evidence of Command & Control
- Segment, to limit the spread of the malware and backup data being encrypted
- Ensure that Remote Desktop Protocol is turned off, and/or is properly authenticated, and otherwise limit its ability to move laterally.
General Guidance
- If affected, don’t pay
- Share fact-of infiltration with trusted organizations, to assist with overall community efforts to diagnose, contain, and remedy.
Fortinet have also published a Technical Analysis of the Ransomworm that discusses some of the technical aspects of this ransomworm that have been investigated by FortiGuard Labs.
If you think you or your system has been compromised, or you just would like some advice on securing your systems, please Contact Us.