Following closely on the heels of WannaCry, a new ransomware variant known as Petya began sweeping across the globe, impacting a wide range of industries and organisations including critical infrastructure such as energy, banking, and transportation systems. FortiGuard Labs sees this as much more than a new version of ransomware. Rather it is representative of a new wave of multi-vector ransomware attacks that Fortinet is calling “ransomworm”, which takes advantage of multiple, timely exploits. In doing so, ransomworm is designed to move swiftly across multiple systems on its own, rather than staying in one place or requiring end user action.
Fortinet advice for organisations seeking to protect themselves from this malware include:
- Back up your critical systems’ files, and keep that backup offline
- Ensure you have a ‘gold standard’ operating system disk and configuration, to allow you to reconstruct your desktop with confidence
- Check the currency of your patches.
- Don’t open attachments from unknown sources.
- Push out signatures and AVs
- Use sandboxing on attachments
- Use behavior-based detections
- At firewalls, look for evidence of Command & Control
- Segment, to limit the spread of the malware and backup data being encrypted
- Ensure that Remote Desktop Protocol is turned off, and/or is properly authenticated, and otherwise limit its ability to move laterally.
- If affected, don’t pay
- Share fact-of infiltration with trusted organizations, to assist with overall community efforts to diagnose, contain, and remedy.