Latest on Petya/GoldenEye Ransomware Attack - security advisory
Yesterday, I sent a pitch and accompanying expert commentary from cyber security company eSentire relating to the recent GoldenEye ransomware attack, identified as a strain of the Petya ransomware, initially making its way throughout Europe and spanning the globe within hours.
eSentire is closely monitoring the ransomware outbreak and published a security advisory late last night (EDT), which was also sent to its customers – available at this link : https://www.esentire.com/news-and-e....
Based on its lab analysis, eSentire confirmed that the ETERNALBLUE exploit is one of the propagation vectors. There are also indications of other propagation network mechanisms, among them WEbDAv on admin $ shares and possibly WMIC.
eSentire Founder and Chief Security Stragest Eldon Sprickerhoff says, “The eSentire threat intelligence team has confirmed one variant associated with this attack, however broadly there are more than 50 different flavors of ransomware variants in the wild. Of those flavors, behaviors prompt the rapid deletion of files and exfiltration of data. Recently we’ve tracked a new variant which works to lock down passwords before encryption, making backup restoration particularly tricky. This attack amplifies the rapid evolution of ransomware ; attacks are becoming more widespread, are moving faster, and are harder to kill. While this attack is hitting Europe harder than other countries (at the moment), it is moving quickly and businesses worldwide should treat this as the warning siren. Take this as an opportunity to ensure that offline backups and system patches are up-to-date, and tested.”
eSentire also recommends implementing these preventative measures, too :
• Educate your staff. Inform them of the threat and encourage extreme caution when handling email from unknown senders, especially those containing attachments.
• Consider Local Administrator Password Solution (LAPS) as a control tool to help limit credential leaks in the event of a network breach.
• Control the spread. Isolate infected assets and assets suspected of compromise immediately.
• Double check that system patches are current. When it comes to Petya/GoldenEye, deployment of patches is critical to reduce risk of infections abusing CVE-2017-0144 and CVE-2017-0145 vulnerabilities. These have been addressed by the MS17-010 security update.
• For additional ransomware incident response best practices, we encourage you to download and follow this Ransomware Incident Response Plan.