Petya Strikes Europe. Are You Ready For the Next Ransomware Attack?

Earlier today, a new ransomware attack similar to WannaCry began spreading across Europe.

This strain, dubbed “Petya,” can be “considered the evil twin brother of WannaCry” according to Rich Barger, Director of Security Research at Splunk. It’s targeting organizations that provide critical infrastructure like banks and energy providers. And it’s still spreading. Reports indicate that the attack started in the Ukraine, but it’s moving fast. It’s also wide-spread, currently affecting almost every Eastern European country and moving quickly into Western Europe.

Just announced, Splunk® Insights for Ransomware offers smaller organizations a new approach to managing ransomware threats like these. For more guidance on using Splunk to combat Petya and ransomware in general, check out our blog post "Closing the Detection-to-Mitigation Gap – Or, To #Petya or #NotPetya… #whocares?!".

It’s too early to tell for certain, but Russian banks initially hypothesize that email phishing may be the initial attack vector. Much like WannaCry, Petya then uses the EternalBlue exploit to spread.

As with any security incident, Petya is an evolving situation and readers should be advised that this blog post is an initial response only—it is not intended to be an ongoing status update on the latest information about the attack. 

Unfortunately, monthly ransomware and nation state attacks are the new normal, and affect organizations of all sizes, from Fortune 500 enterprises to SMBs. As Matthias Maier, Security Evangelist, Splunk, says, “The sophistication and consequences of ransomware attacks have reached a new level. The days are near where a cyberattack can result in a total blackout and affect the lifeblood of society.”

The persistent and regular nature of ransomware attacks requires that security and IT teams alike take a hard look at their process and overarching approach to security—in particular, how they ensure operational continuity. Organizations affected by attacks like Petya need to react quickly and analyze the situation by looking deep into their infrastructure to check how they can minimize or stop the damage in their environment and bring their systems back. Then they need to examine what happened, how the threat got in and identify the weak point in order to fix it. Ideally, they will be able to see it coming—if they have good control over security posture and can perform efficient investigations to verify and decide where and when they need to act first. This can be difficult, especially for smaller organizations.

Splunk offers security solutions for security needs including ransomware. We just announced Splunk® Insights for Ransomware, a new offering targeted at smaller organizations, enabling them to take an analytics-driven approach to managing ransomware threats. Splunk Insights for Ransomware offers Splunk Enterprise capabilities with user-based pricing and enables organizations to benefit from real-time insights for proactive assessment and rapid investigation of potential ransomware threats.

Splunk offers many techniques to help combat ransomware, from DIY to a pre-packaged app that includes over a dozen key use cases you can use to get started.

And if you’re an Enterprise Security or User Behavior Analytics customer, you can use Splunk’s SIEM solution to determine overall posture assessment for ransomware, leverage ES’s workflow for Incident Responders and Incident Review Audit for ransomware cases, use adaptive response to isolate infected hosts, use the Threat Intelligence framework to identify indicators of known ransomware, and take advantage of ES’s visualization capabilities that enable users to build their own ransomware dashboards. With UBA, you can combat ransomware that moves laterally across the network or utilizes domain generation algorithms for DNS traffic to detect potential ransomware activity.

Ransomware attacks like Petya can strike at any time. Arm yourself with security solutions like Splunk Insights for Ransomware so you’re ready for the next attack.

Thanks,

Jae Lee

[On June 27th, we learned of initial reports of a new variant of Petya ransomware called “NotPetya” affecting European networks, with specific industries being affected within the Netherlands and the Ukraine. Initial claims indicate that NotPetya attempts to propagate via the ETERNALBLUE SMB exploit as previously seen in the WannaCry attacks, however there are also early indications that NotPetya might also propagate via a locally dropped psexec.exe binary and WMI as well. This means that the malware has additional spreading functionality which would allow execution against fully patched systems, including those patched with the MS17-010 vulnerability. Additionally, NotPetya appears to destroy filesystems in an irreversible manner, vs. typical ransomware which allows victims to pay a ransom in exchange for decryption keys to recover data.]

Related Resources:

• Original WannaCry blog post
• Splunk Insights for Ransomware web page
• Online Demo Experience – Ransomware Investigation Exercises
• Splunk Security Essentials for Ransomware App on Splunkbase
• .conf2016 Splunking the Endpoint: Hands On! Ransomware Edition recording and slides
• December 2016 Detection of Ransomware and Prevention Strategies Webinar
• Ransomware Wrangling with Splunk .conf2016 session

Blogs:

• Enhancing Enterprise Security for Ransomware Detection
• How Splunk Can Help You Prevent Ransomware From Holding Your Business Hostage
• Detecting Ransomware Attacks with Splunk