Welcome to the new normal, as we usher in another massive worldwide fear inspiring ransomware attack. I will spare you the technical details of this specific malware, but I do feel it is important to understand the common elements of this latest attack, and the ongoing preferred methodology being used in ransomware attacks.
In April of this year, we witnessed a harmless but embarrassing email phishing campaign that was focused on Dropbox users. The phishing campaign involved an email that looked like it came from someone you knew with a download link that pointed to a Dropbox file for you to download. Since people send Dropbox links all the time, this is a very effective phishing technique. I had a funny feeling at the time that this was a dress rehearsal for a much larger phishing campaign using Dropbox download links.
Not even two months later, say hello to Petya. This ransomware virus differs from traditional ransomware in two key ways:
- The virus is distributed via the Dropbox network.
- The virus will actually overwrite boot files required to load Windows, thus completely locking the user out of his ability to use his computer.
The victim usually first receives a business-related email from an applicant that is supposedly applying for a job. The victims are lured into opening a Dropbox storage location, which contains the CV and other details of the applicant. When the user tries to open the relevant files a self-extracting executable file will be run on their PC, which contains a Trojan horse virus. The virus will then blind any anti-virus programs installed and remotely download the Petya ransomware.
The most important question now is how we effectively protect ourselves from these types of attacks going forward. First, over the past couple of months, 4IT has been evaluating end-user phish testing and education services with two different vendors. Essentially, these services conduct continuous phishing email campaigns against your company and then provide you with campaign reports showing who opened the emails, and who clicked on the links. Those users are then provided additional training and evaluated again during the next campaign. This provides a measurable reduction in the potential risk associated with Phishing and is much more effective than a one-time training session. 4IT will be adding this service shortly to our managed service enhanced security suite. Second, building multiple layers of detection and prevention significantly increases the chance that one of the layers will recognize the malware. Our preferred combination of anti-virus (Webroot), anti-malware (Malwarebytes), OpenDNS (Content Filtering), and the Sonicwall Comprehensive Security Gateway creates four separate layers of possible detection. In fact, the good news for SonicWall customers that are using the full suite of security services is that Sonicwall had signatures for certain variants of Petya since March 2016. In April 2017, Capture Labs analyzed and released protection for the Eternal Blue exploit that Shadow Brokers leaked from the NSA.
Realistically, this constant wave of attacks is probably the new normal for cybersecurity, and will only serve to reinforce the value of ongoing investments in technology and training to prevent, detect, and remediate cyberattacks.