Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sander Hofman Sr Technical Sales Europe

PublishSolomon Goodwin Modified over 7 years ago

Similar presentations

Presentation on theme: "Sander Hofman Sr Technical Sales Europe"— Presentation transcript:

1 After Petya – Improving Your Cyber Resilience Strategy Webinar: 11am CET

2 Sander Hofman Sr Technical Sales Europe
Petya Ransomware Attack: The Facts Sander Hofman Sr Technical Sales Europe

3 Petya history: March 2016: First version of Peta
May 2016: Petya meets Mischa December 2016: Petya returnsas “GoldenEye” March 2017: A new “unauthorized” version of Petya appears June 2017: New Petya / NotPetya outbreak causes ….. When it was first identified, Petya quickly gained attention thanks to its unique encryption routine. Instead of encrypting individual files it encrypted the Master File Table (MFT), essentially bricking the victim's hard drive. It did so by adding malicious instructions to the Master Boot Record (MBR) and then causing Windows to reboot. When victim machines came back ona fake CHKDSK screen distracted victims while the encryption process was underway. Once encryption was complete, the ransom screen appeared. Petya's first run came to a adrupt end in April 2016 when researchers were able to defeat its encryption. A month later, it was back, packaged together with Mischa ransomware. The new combo gave the attacks more flexibility. If Petya was able to gain admin privileges, it would modify the MBR and encrypt the MFT. If not, the installer would fire up Mischa, instead, which would then encrypt the victim's files in a more traditional way.  The same group behind Petya released a new version of the ransomware rebranded as "GoldenEye" at the end of Aside from cosmetic differences, the major difference was the order of the two encryption processes were swtiched — the ransomware now encrypted the victim's files first, then attempted to modify the MBR.  Earlier this year, researchers at Kaspersky spotted what appeared to be the work of a "rogue actor" who was essentially able to piggyback off Petya's core functionality while making slight changes that ensured payments would instead go to them. Dubbed "PetrWrap", this ransomware also took a notably different approach to distribution. Instead of infecting victims via spam s (as Petya had primarily done), the attackers behind PetrWrap used it to target vulnerable servers with unprotected RDP access. They also incorporated credential-stealing tools like Mimikatz into their attacks, enabling them to then abuse the Windows command utility PsExec to move laterally and spread the ransomware throughout the network. These are some of the same tactics that would help our latest version of Petya to spread a month later...   Source: Barkly Blog

4

5 EternalBlue NSA Exploit
Successful deployment provides attackers with the remote execution they need to launch ransomware, credential stealers, or any other malware they want. There are a ton of devices with port 445 (the port associated with SMB) either knowingly or inadvertently open to the Internet right now — over 1 million if you're keeping score at home. The Shadow Brokers leak provided everything even novice attackers need to start utilizing EternalBlue, including an exploit framework called FuzzBunch that makes deploying it extremely simple What is EternalBlue? EternalBlue is one of the purported NSA exploits leaked in April by the Shadow Brokers hacking group. It targets a vulnerability in Server Message Block (SMB), a network file sharing protocol. What makes EternalBlue so dangerous is that: Successful deployment provides attackers with the remote execution they need to launch ransomware, credential stealers, or any other malware they want. There are a ton of devices with port 445 (the port associated with SMB) either knowingly or inadvertently open to the Internet right now — over 1 million if you're keeping score at home. The Shadow Brokers leak provided everything even novice attackers need to start utilizing EternalBlue, including an exploit framework called FuzzBunch that makes deploying it extremely simple.  Microsoft had actually released an update (MS17-010) that addresses the SMB vulnerability and renders EternalBlue ineffective in March, a month prior to the Shadow Brokers announcement. But as the WannaCry outbreak showed, large numbers of organizations were obviously unnable or unwilling to patch in time to avoid compromise.  To use the exploit, all the WannaCry attackers had to do was scan the Internet for systems with port 445 open, and then fire away. Then, as part of the infection process, the ransomware would scan the local network and wider Internet for additional victims with SMB exposed.  Unlike WannaCry, the Petya outbreak only uses EternalBlue to spread laterally within an infected network. And if that isn't successful, it has additional tricks up its sleeves (more on those below). As explained above, another major difference between this outbreak and the WannaCry one is that the Petya ransomware variant also operates much differently than WannaCry (and, arguably, isn't even truly ransomware). Source: Barkly Blog

6 Key Facts about Petya/NotPetya:
Over 150 countries affected. 250,000+ computers compromised Petya being distributed via (using the source of includes the attachment 'Order doc').   Build for targeted destruction, not profit Main target Ukraine  FAQ Petya Ransomware Attack What is it? Today a major new ransomware attack has hit businesses globally, but initially in the Ukraine, Russia, and across Europe.  This has been identified as an updated strain of the Petya ransomware that was identified back in March.  The malware appears to arrive via a Microsoft Word document in an and is then able to spread rapidly to other machines on the network using the same EternalBlue exploit used by WannaCry last month. Microsoft has patched the underlying vulnerability in the SMBv1 file sharing protocol for all versions of Windows, but if hotfixes are not deployed, users remain vulnerable. Who is affected? Over 150 countries and hundreds of thousands of computers across the globe in several industry sectors have been affected high profile companies including Maersk, WPP and the Ukrainian State Power Company. What does it do? When the Word document is opened, a file is dropped and executed.  This creates a scheduled task that reboots the machine an hour after infection. The malware also searches infected machines for user credentials which are then used to spread the infection further across the network.   Additionally, the malware then spreads to other unpatched machines on the network automatically and self-installs . After reboot, the malware encrypts files and demands a ransom of $300. Are Mimecast Customers Safe? We help prevent against borne attacks using Mimecast Targeted Threat Protection - Attachment Protect which is able to detect and block the infected Word document attachment, thereby preventing infections by this ransomware via .   For customers without Targeted Threat Protection, the anti-virus engines in Mimecast’s Secure Gateway have signatures to detect this current variant or Petya. While the initial infection is via a weaponized Word document sent in an , we also recommend customers review their web, endpoint, perimeter and other network security in line with best practice for each of these areas. Source: The Verge Blog

7 How to protect

8 Patching atching Every organization must ensure its IT systems are regularly updated. Microsoft security updates are released on the second Tuesday of each month (Patch Tuesday). Microsoft released a security update back in March which addresses the vulnerability that Wannacry exploited and that Petya also appears to exploit. For those organizations who have not yet applied the security update, you should immediately deploy Microsoft Security Bulletin MS If you are using a legacy, now unsupported version of Windows, you should consider upgrading immediately. However, if this is impossible in the short term, Microsoft has taken the unusual measure of releasing a security patch that can buy you time to upgrade your operating system.

9 Operating system End Point Protection Firewall Proxy atching
Every organization must ensure its IT systems are regularly updated. Microsoft security updates are released on the second Tuesday of each month (Patch Tuesday). Microsoft released a security update back in March which addresses the vulnerability that Wannacry exploited and that Petya also appears to exploit. For those organizations who have not yet applied the security update, you should immediately deploy Microsoft Security Bulletin MS If you are using a legacy, now unsupported version of Windows, you should consider upgrading immediately. However, if this is impossible in the short term, Microsoft has taken the unusual measure of releasing a security patch that can buy you time to upgrade your operating system.

10 Network Hardening Network hardening
Good security practice dictates removing or disabling unnecessary network services to reduce the potential attack surface. Since Petya has spread quickly by abusing vulnerabilities in the Server Message Block network protocol this should be an area of immediate focus. Unless you have a very good reason not to, disable the SMBv1 protocol on your network, while also ensuring needed SMB services cannot be directly accessed from the internet.  Also, disable or block other legacy protocols on your network that you are not using.  Leaving them available leaves them available for malicious actors to leverage.

11 End Point Protection NON Admin Firewall Switch Blocking
Server Hardening Mobile Devices Network hardening Good security practice dictates removing or disabling unnecessary network services to reduce the potential attack surface. Since Petya has spread quickly by abusing vulnerabilities in the Server Message Block network protocol this should be an area of immediate focus. Unless you have a very good reason not to, disable the SMBv1 protocol on your network, while also ensuring needed SMB services cannot be directly accessed from the internet.  Also, disable or block other legacy protocols on your network that you are not using.  Leaving them available leaves them available for malicious actors to leverage.

12 Email Security Network hardening
Good security practice dictates removing or disabling unnecessary network services to reduce the potential attack surface. Since Petya has spread quickly by abusing vulnerabilities in the Server Message Block network protocol this should be an area of immediate focus. Unless you have a very good reason not to, disable the SMBv1 protocol on your network, while also ensuring needed SMB services cannot be directly accessed from the internet.  Also, disable or block other legacy protocols on your network that you are not using.  Leaving them available leaves them available for malicious actors to leverage.

13 ARMed SMTP Security (Advanced Reputation Management)
Anti Spoofing checks Real-time Black hole List (RBL) Checks Global Network Outbreak detection Multiple content based heuristic scanning engines DNS-based checksum-based and statistical filtering definitions Multi-Layer Anti-Virus scanning 100% SLA for Known and Unknown Malware 99.9% SLA for Spam Reduction

14 Malicious URL Phishing Protection
Mimecast Malicious URL Phishing Protection All URLs in every inbound mail are rewritten at the gateway On click, every click real-time scanning of destination site Access is granted to clean sites without delay. Access to compromised sites is blocked Dynamic user awareness built-in - helps build a human firewall

15 Mimecast Ransomware Attachment Protect
Pre-emptive sandbox checks attachments pre-delivery Option of innovative transcription with on-demand sandbox Potentially harmful attachments replaced with transcribed safe versions Employees have instant access to safe files Request original via cloud-based sandbox if required

16 Mimecast Impersonation & CEO Fraud Protection
Actions: Configurable Actions on Suspicious Mail Bounce Message Hold Message Tag Message Key Identifiers: Admin Subject Moderator Body Name is One of my Users Names User Review Header Domain is like one of my domains Configurable Actions on Suspicious Mail Keyword Dictionary Tag Body E.g. “This message originated from outside the organization” Newly Observed Domain Reply-to Address Mismatch

17 Internal Email Protect: How it works for internal emails

18 Beyond the mailbox server your business needs…
Security Gateway (MTA) Anti Virus/Anti Spam Anti Malware Anti (Spear) Phishing Encryption Data Leak Prevention Security Monitoring & Reporting Large File Transfer Archiving and File Storage Compliance e-Discovery & Legal Hold Enterprise Search End-User Access Storage Infrastructure Clustered Mail Servers Failover Data Centers Backup & Recovery Systems Continuity

19 This is Cyber Resilience
Confidential | Protect You need the best technology that provides multi-layered cloud security Continue You need to continue to work while the issue is resolved Remediate You need to go back to the last known good state This is Cyber Resilience

20 Thank You Mimecast Blog

Download ppt "Sander Hofman Sr Technical Sales Europe"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.

Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Security fundamentals Topic 10 Securing the network perimeter.

Security fundamentals Topic 10 Securing the network perimeter.
Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.

Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
Kaspersky Small Office Security INTRODUCING New for 2014!

Kaspersky Small Office Security INTRODUCING New for 2014!
Unit 2 Personal Cyber Security and Social Engineering Part 2.

Unit 2 Personal Cyber Security and Social Engineering Part 2.
Www.spiceworks.com. www.gntsolutions.com R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING EMAIL CAMPAIGNS,

R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING CAMPAIGNS,

Similar presentations

Ads by Google