Fordway Blog

The Petya/NotPetya ransomware attack

[fa icon="calendar"] Jul 6, 2017 9:58:33 AM / by James Mason

With last week’s Petya/NotPetya malware coming so soon after the Wannacry infection which affected more than 230,000 computers in over 150 countries, every organisation needs to assess their ability to cope with ransomware. That means considering a range of factors, from your patching regime to your back-up and disaster recovery provision. It only takes one user to accidentally click on an infected attachment and you could find yourself testing your DR plan!

Here’s how the Fordway security team swung into action to support our customers when Petya/NotPetya began its attack:

Step one: ensure you’ve implemented relevant patches and security controls to mitigate the risk of infection. We’d already applied March’s MS17-010 patch for our customers against the EternalBlue vulnerability, one of the major routes of infection. We had already disabled the SMB v1 file sharing protocol in Fordway’s managed cloud infrastructure. To mitigate the risk of another attack vector exploiting it in the future, it is recommended that SMB v1 is disabled. Customers using our Security Consultancy service had already received custom advice as part of our routine incident response procedure on how to implement this in their infrastructure. When these attacks happen, there’s always media hype and speculation, so it’s important to know who to trust. Our team provided holistic, contextual advice on what to do and in what order to reduce wasted time and minimise risk to our customers

Step two: detection and response. Petya/NotPetya starts to read memory to find credentials to send back to the creator, which could potentially allow them to mount other attacks. We advised all our customers to run an AV scan; look at anything added to scheduled tasks; and look for any files that appeared suspicious or unusual. For customers of our Security Monitoring as a Service, we help them detect the source of the infection and remove it from the network. For users of our back-up and recovery as a service (BRaaS), the backups themselves will detect if a large amount of data has changed since the last backup - an indication that data may have been compromised - so we can investigate and respond accordingly. In this case our existing incident response sevice

It’s also helpful to remind your users that if they think they have clicked on a suspicious email or link, they should notify IT immediately. You can then remove them from the network while you investigate whether they have released the ransomware.

What if you’ve been infected? We reminded all our customers to tell us as soon as they suspected a problem so we could preserve the recovery points. Our BRaaS ensures quick and efficient recovery with minimal loss so services are up and running again quickly, in accordance with each user’s SLA. We take two-hourly snapshots so if customers catch the infection quickly they lose less than two hours of work. If a customer has been affected, we then freeze a number of snapshots to ensure they are not removed once the ransomware issue has been resolved.

The final step: carry out a risk assessment to learn lessons and help mitigate future attacks. As part of Fordway’s Security Management as a Service, our security team captures information from around the world so we can give customers the best possible advice on how to prevent, detect and respond to events in the future. For customers using Fordway as their virtual Information Security Manager or CISO, we also aligned with their risk register to provide recommendations to the board providing analysis of technical resource needed and the implications for end users.

It’s worth checking what facilities your cloud provider includes as part of their basic service. All Fordway’s cloud services (IaaS, DaaS and PaaS) include elements of our BRaaS and DRaaS such as snapshots and backup when we on-board new customers. Patch management and security monitoring are also included as part of these services. Fordway fully align and are certified to ISO27001, which is fully adhered to across Fordway and its approach to customers.

Find out more about Fordway Managed Cloud Services.

Topics: Security, managed cloud, Ransomware, Incident Response, Fordway Managed Services