A new strain of ransomware, known as ‘NotPetya’ (originally reported as Petya), has impacted individuals, private companies and public organisations including banks, airports and government organisations across Europe over the last 24 hours.
Ransomware is a type of computer virus that locks your data and demands payment of a ransom to unlock it. After the ransom is paid, it is quite common for the system to remain locked, with the attacker taking the money without releasing the files. Ransomware has recently become the single greatest online security issue in terms of number of attacks, and the impact it causes to businesses and organisations that manage national critical infrastructure.
The NotPetya threat follows the global WannaCry ransomware attack in May, which was labelled as the largest global cyber security incident to date. WannaCry exploited a known vulnerability in Microsoft systems called ‘EternalBlue’, and encrypted data, locking users out of their system until a ransom was paid.
While experts are still looking to establish how this new ransomware works, it is believed that NotPetya is potentially exploiting the same EternalBlue vulnerability as WannaCry. EternalBlue is a vulnerability in Microsoft’s early implementation of network file sharing protocols called SMBv1.
While NotPetya appears to have mostly affected European countries to date - including England, Ukraine, Russia and India - it is important to remember our geographic location does not make New Zealand companies exempt from this threat.
For this reason, it is important companies remain vigilant and take proactive steps in order to avoid being affected.
Tom Moore, Practice Manager of specialist cybersecurity consultancy, Aura Information Security, recommends the following measures and precautions are taken to avoid your business being impacted by ransomware:
1. Ensure all computers are updated with the latest security patches
Companies should ensure all staff computers, personal computers and company servers are up to date with the latest security updates and patches so that they are not openly vulnerable to the attack. Focus on any older legacy Microsoft Operating Systems you might be running first.
2. Make sure you know your vulnerabilities
If you are running legacy unsupported operating systems or software with known vulnerabilities, isolate them from the rest of your network. Make sure you add extra protection like configuration hardening, host based firewalls, or application whitelisting. Upgrade unsupported operating systems to the latest platforms wherever possible. Use your firewalls to block Microsoft File sharing protocols and do not expose these protocols to the internet (SMBv1 is TCP port 445).
3. Make sure you know what to do in the event of a ransomware infection
Make sure you know where your critical information is stored and ensure that you are able to restore this information from backup if your business suffers an incident, particularly if you have sensitive or critical information stored on laptops and desktops. If your business is impacted, it is recommended that you do not pay the ransom, as this may not result in files being recovered. You can also reach out for free advice if you report a security incident to the New Zealand National Computer Emergency Response Team (CERT), via www.cert.govt.nz or 0800 CERT NZ (0800 2378 69).
4. Educate your staff
Educate your staff on what to look out for and what to do if their workstation is infected with malware. The advice for this latest ransomware attack is that users should immediately unplug their machine from the network, and call their IT support help desk. Advise staff to be extremely cautious when opening emails – even if they are from trusted suppliers and contacts, and especially if they contain attachments. It’s a good idea to call the sender to verify that they have sent the attachment and if in doubt, don’t open it.