New Petya cyberattack requires immediate action

Jun 28, 2017

A new wave of Petya ransomware has been affecting a significant number of organisations across a wide range of industries since Tuesday 27 June. Many victims have already been identified in Ukraine, Spain, Netherlands, and the UK.

The attack is reminiscent of the May 2017 WannaCry outbreak. It also had worldwide reach, compromising a similarly broad range of organisations at high speed.

Speaking about the latest attack, PwC Ireland Cyber Leader Pat Moran said: "This ransomware is slightly different, applying a multi-level approach. It encrypts the master boot record of the machine when run as admin, and when run as a normal user it encrypts specific files on the system. It also uses several different methods to ensure that it affects as many machines as possible."

Priority actions – our recommendations

Leonard McAuliffe, Director of PwC Ireland Cyber Centre, said: "Executives should ensure that desktop and server IT operations teams are provided with all the support they need to rapidly deploy Microsoft’s April and May critical security updates, along with March’s MS17-010 security update.
 
"Executives should also understand that IT operations teams, on the recommendation of their security team, may need to cause temporary disruption to some services on IT estates as additional controls are implemented and vulnerable services disabled."

Ensure your IT teams have taken action to, or develop plans to:

  • disable all external SMB access (blocking ports 137, 139 and 445 to / from the internet);
  • disable the use of the SMBv1 network file sharing protocol across the entirety of your IT estate;
  • disable the ability to execute unsigned macros in Office documents, using group policy settings (and sign legitimate macros from your own organisation);
  • ensure two factor authentication is in place for all necessary external access to systems (e.g. VPN and RDP);
  • identify and prevent all systems without the MS17-010 security update from connecting to core corporate networks, and segment guest networks from all ability to access core corporate networks;
  • force an enterprise wide update of antivirus signatures;
  • rapidly isolate any infected systems from your corporate network to limit the spread to other systems.

Strategic Recommendations

Robust business continuity planning and exercising

Ensure that individual user systems and key servers can be restored rapidly from backups, and that the frequency of backups aligns to the timeframe of data your organisation is prepared to lose in the event of any system being rendered unusable.

Crisis and incident response planning and exercising

Ensure that there are formal procedures in which employees and those responsible for the management of high priority incidents are well versed to streamline the organisation’s reaction to ransomware events and its ability to restore service to employees and customers.

Strong security hygiene policies and user awareness

Prevent ransomware entering your IT environment through the most common delivery vector, phishing, by enforcing strong controls at your email gateways and network perimeters, and developing vigilant employees through robust awareness campaigns.

Rigorous patch and vulnerability management

The vulnerabilities exploited in this attack have already been addressed via Microsoft ‘critical’ patches released in March, as well as this week, and a robust vulnerability management programme will help reduce the likelihood of exploitation.

ENDS


 

About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

©2017 PwC. All rights reserved

Contact us

Pat Moran
Partner
Tel: +353 1 792 5308
Email

Leonard McAuliffe
Director
Tel: +353 1 792 8632
Email

Johanna Dehaene
Corporate Communications
Tel: +353 1 792 6547
Email

Follow PwC Ireland