petya ransomware

A Pen Tester’s Perspective on Petya Ransomware

There’s no shortage of  analysis on the Petya ransomware strain that struck organizations across the globe in the past month. You can find blog posts and articles covering practically every angle – from the machine language nuances of the code, to the length of the encryption key, to the possible nationality of the code writer. While this information is interesting, it’s not all that helpful in preventing this ransomware from spreading.

As a pen tester, one aspect I haven’t seen discussed as much is what traits of the Petya ransomware strain make it so attractive for threat actors, and based on that, what best practices you can apply in your environment now to stay ahead of attacks.

Petya Ransomware Traits

The Petya ransomware used the same EternalBlue SMB exploit as the WannaCry attack one month earlier. However, there is a difference in how the Petya ransomware spread. According to initial reports, threat actors compromised a cloud-based file sharing application and used an application update feature to post a malicious update to MeDoc applications worldwide. Once these threat actors gained a foothold, they spread laterally through Windows Management Instrumentation (WMI) and PSExec. To put it more simply, Petya highlighted problems with the cyber supply chain. Petya underscores the level of inherent trust we give third-party services that allow us to easily share files across devices, but that also create potential vulnerabilitiesin our networks.

Based on the personality traits of Petya, here are five cyber security practices you should implement immediately to prevent its spread and minimize the impact of a future attack.

Use Approved Software Applications

BYOD policies can be win-win for companies and employees if they are set up correctly. Cellphones and tablets are commonly associated with BYOD policies, but laptops can sometimes slip through the cracks of BYOD administration. Employee-owned laptops can present additional risk if users aren’t educated on how to manage their business data appropriately. In the case of the Petya attack, a file-sharing application was installed on employee-owned laptops. Here’s a general rule of thumb: if employees are storing mission-critical information on their laptops, the organization should own and manage the device, or, if the devices are employee owned, put safeguards and monitoring in place to make sure employees are compliant with data protection policies.

Audit and Limit VPN Connections

Like other forms of ransomware, Petya needs to spread through systems to infect the entire network. Every VPN connection you allow extends your network and becomes a potential perimeter target. When a threat actor gains a foothold on a remote, VPN-connected system, it provides access into your network. By auditing VPN connections, you can approve workers on a case-by-case basis for VPN connectivity, and regularly verify that only approved workers use the VPN. Part of the approval process should be user training that focuses on informing employees what a VPN does and why they need to be vigilant in their actions while on the VPN.

Audit User and Group Permissions

As a pen tester, I am often asked how to stop lateral movement. For lateral movement to succeed, attackers require a level of permissions that will permit access on a remote system. Combating lateral movement is possible. Organizations should start by understanding all the group accounts that exist and what they grant access to. In addition, you need to identify any users that have privileged access. Preventing lateral movement by locking down account privileges means the difference between a handful of machines compromised versus an entire domain compromise.

Implement Network Segmentation

Often, we conduct penetration tests on networks that are flat, and while it doesn’t provide us a direct attack surface, a flat network provides us with a pristine view across the network.  Certainly, a flat network makes the attacker’s job easier – the Petya ransomware incident illustrates this. Petya could only spread to hosts it could see on the network. The ransomware will spread faster across flat networks while the effects can be more isolated and contained in segmented networks.

Train Your End Users

Effectively training your workforce is a must. End users are typically the first ones to be impacted in a ransomware attack, usually through phishing emails with malicious links or prompts that execute the ransomware code.

Not all end-user training is created equal. Effective user training uses real phishing emails users have received, and teaches other users the elements of how to detect a phishing email. Poor grammar or word choice is not necessarily an indication of phishing anymore, and attacks have gotten much more targeted. It’s particularly important to be sure that the C-suite is included in training, as there are many cases in which they were the first to be targeted in ransomware attacks.

Summary

It’s important to remember that ransomware does not have a mind of its own nor does it create vulnerabilities on systems. Ransomware requires certain conditions that it can leverage to become a living, breathing threat to your entire network. Removing those conditions will go a long way toward protecting your organization from ransomware.

To learn more about our penetration testing capabilities and findings, check out our new eGuide, “Hacker Secrets Revealed: Five Lessons Learned From Security Assessments.”