Get My Score

Today's Ransomware is Sponsored by the Letter 'M'

Control Your Cloud

Petya'd?  Cavirin to the Rescue!

On the back of WannaCry, the latest ransomware of the week is GoldenEye, a variant of Petya.  First reported a few days back, it has already caused havoc within some very large organizations.  Maersk, for example, was impacted, and one of our engineers from Bangalore reported that 10 million containers at the port of Mumbai don't know where to go.  No, Docker isn't going to come to the rescue.  And you think an airline reservation system shutdown is bad!  What is disturbing to me is that four of the companies hit - Maersk, Me-Doc, Merck, and Mondelez - all start with 'M', and that it is mostly targeted against critical industries.  Today's ransomware attack is sponsored by the letter M.  Someone refining their attack vectors?

Just to be totally accurate, the Petya variant encrypts, but doesn't have a provision for decryption, so it is more of a 'wiper' than ransomware.  It is also most probably an actual nation-state cyberattack against Ukraine, only pretending to be ransomware, as concluded by Comte's Matthieu Suiche.  So, what could have been done to protect against it?  

First, note that it is limited to Windows. Microsoft has released patches for the basic vulnerabilities, but that doesn't imply that they've been universally applied.  However, Petya also spreads via Office documents, opening up another vector of attack.  In addition, there is no kill-switch that can be used to stop the attack.

A number of security vendors have listed the specific actions that should be taken by any organization:

1.  Apply the Microsoft patch MS17-010.  This dates from March 14, as noted earlier, over 90 days ago.  Our Patches and Vulnerabilities pack would have caught this.

2.  Disable TCP port 445.  Our Network Security Policies pack closes this.

3.  Restrict administrator group level access.   Our CIS Benchmarks assess and remediate across any OS in any environment, on-premise, cloud, or container.

Ultimately, we provide continuous workload protection, whether your company begins with the letter 'A' or the letter 'Z'. 


© 2018 Cavirin Systems, Inc. All rights reserved.