There is lots of misinformation flying around about the #NotPetya malware but there are several important issues that are becoming clear that are important for protecting your organization.
- There is no credible evidence that #Nyetya has ever spread through email. In this case no user is to blame for falling for a Phishing attack or clicking on the wrong thing in an email. That said, practice good email hygiene and do anti-phishing training of your users – the next one is sure to try that route.
- #Nyetya does spread by using the EternalBlue and EternalRomance vectors. There is no excuse for not having applied the MS17-010 patch and failing to turn off SMBv1 in group policy, Just do it and go back and fix anything that doing so broke. It’s better than being wiped by the malware.
- #Nyetya does spread inside Active Directory domains by abusing valid administrator credentials on machines it infects and then using standard Windows tools and utilities (psexec and WMIC) to install the wiper/encryption malware on otherwise properly patched systems in the domain.
- There is no hope of recovering your files by paying the ransom. The mechanisms that the malware authors set up to receive payment and distribute recovery keys are totally broken (or were never intended to work in the first place and were just a distraction).
- It seems that the most likely initial infection vector was an infected update from a Ukrainian software vendor called MeDoc combined with a watering-hole attack on some associated web sites. Your domain administrators shouldn’t be doing general Internet browsing or reading their email using their administrative credentials. Obey least privilege rules and policies. Give highly privileged users the tools and equipment to make keeping themselves secure and protected as easy as possible. And then make sure that they comply.
- Network segmentation matters. There is no reason for most end-user systems to be able to talk to one another directly. And what communication they do must be examined in real-time for indicators of compromise. Network monitoring, user behavior analysis and strong end-point protection with a SOC watching and reacting in real-time and capable of serious threat hunting and directing mitigation is key to advanced threats. If you aren’t big enough to do it yourself (and almost no one is) outsource it.