A new wave of cyber-attacks, Petya, a ransomware similar to the Wannacry attack, has taken out servers and IT systems, crippling enterprises across Ukraine, Russia and some parts of US and Western Europe.
This second massive ransomware attack in less than two months has once again highlighted the significance of having strong cybersecurity measures in place.
In light of these recent attacks, we speak to partners to understand how organisations can avoid being infected.
Avinash Advani, SVP, Strategic Alliances and International Markets, StarLink, says there are three main factors to be considered.
The first step is to understand quickly which assets are vulnerable and can be compromising by doing a discovery and vulnerability assessment.
“Second, is to ensure that all existing endpoint security, plus all corporate operating systems and applications are fully patched to the latest versions and the final step is to invest in next-generation endpoint security to ensure that organisations can detect, prevent and respond to such infections,” he adds.
According to Advani, all three factors can be supported by the channel. He adds, “Resellers, SIs or value-added distributors can assist infected customers with security services to conduct software and hardware asset inventory, discovery and vulnerability assessment to get a view of the assets that can potentially be infected. They can also help with professional services to accelerate the patching of all assets. Lastly, they can assess the existing endpoint security posture and propose options for effective detection, prevention and response technologies.”
Agreeing with Advani, Help AG’s MSS architect and CSOC manager, Majid Khan also recommends precautionary measures for SMEs and enterprises.
Organisations need to review their Microsoft Security Bulletin MS17-010 and apply the update and ensure all systems are in the latest version or patch as reported by the manufacturer.
“For systems without support or patches,” Khan says, “it is recommended to isolate from the network or turn off as appropriate. Another measure is to disable SMBv1 and block all versions of SMB (EternalBlue) at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”
Khan says that since the Petya ransomware also takes advantage of the Windows Management Instrumentation Command-line (WMIC) and PSEXEC tools to infect fully-patched Windows computers, organisations should also disable WMIC.
Over and above that, Khan urges organisatios to follow best practices such as refrain from opening attachments and Microsoft Office files from untrusted email addresses and sources.
“Firms should regularly back up data and create restore points. It is imperative that the new signature files for antivirus products are always updated at the earliest,” he adds.
While there are no incidents reported in the Middle East yet, StarLink’s Advani says it is necessary to be cautious.
“Like any ransomware attack, Petya spreads using a specific mechanism, in this case the SMBv1 protocol for those customers using a specific common bitcoin wallet. The Middle East region impact will be based on the number of organisations using that same bitcoin wallet with the SMBv1 protocol enabled.
“Investigation into the latest variant of the Petya cyber-attack is still underway, but at this juncture it is important for organisations to following advice that was provided when Wannacry hit,” he adds.