Thought all the hot takes about what allowed WannaCry to spread so quickly had all been written? Well, last night, new malware - leveraging seemingly the same vulnerability - appeared with a new name - Petya - and this time, it wants more than ransom - it's actually, whether through poor coding or simply malicious intent, outright destroying data. So here's our hot take: what allowed this to have the impact it is having was a patch management issue more than anything, and what users should do about it is - first and foremost - patch! Secondly, they should poll their network and make sure they've fully protected themselves as much as they think they have.
There are some quick WMI commands and Powershell scripts you can run to check if you are actually exposed, though getting these to run on all of your endpoints could be a bit time consuming. Alternately (pitch warning: here it comes) you could also leverage our rapid, agentless inventory analytics platform - the BlockBox - to quickly assess your exposure and pull reports on all exposed endpoints. If that sounds good - reach out to us on LinkedIn or at info@block64.com to discuss. For our existing customers, some more information on this vulnerability and how to make sure you're not exposed follows!
By way of a recap - what is WannaCry (and why am I still hearing about it)?
On May 12, 2017, a "ransomware" virus spread to hundreds of thousands of endpoints in approximately 150 countries. This virus is commonly known as WannaCry. It exploits a vulnerability via SMB on Windows machines to access their files and encrypt them. The purpose of ransomeware is to force the targeted user to pay a digital currency in order to get their precious data back. This exploit was patched on May 15, 2017 via Microsoft's MS17-010 update, and the spread was contained by the use of a discovered killswitch. Many companies have suffered from this vulnerability, and many are racing to ensure all of their endpoints are safe.
So what is Petya 2017, and how is it different?
If there's any one thing that's true about IT, it's that things that can be left until later tend to be. Whether it's because the workload is simply too much, or a preference not to RTFM, often patches go unapplied for what ends up being just too darn long. Such is true in this case, unfortunately for the many who have yet to update their vulnerable endpoints, the same exploit with SMB was taken advantage of yet again. This piece of malware does not contain a killswitch, being much worse and more costly to the infected endpoint than WannaCry. Initially deemed to be another form of ransomeware, it turns out this virus is actually what is known as a "wiper". This type of virus is used to inflict damage on the endpoint's data, resulting in something that can no longer be recovered. Though this posed as ransomware, victims are quickly learning that they will never get their data back regardless of what they pay.
Am I Safe?
The good news is that we can help you determine how many machines are safe and how many are still vulnerable. We can provide a clean reporting interface for you to keep on top of the latest threats, as well as the ability to quickly export a list of machines requiring updating. If you need help tracking exposure to malware in your infrastructure, contact info@block64.com for information on our discovery and analytics platform.
Our "WannaCry/Petya Exposure" report on the Combine provides a clean and easy to use interface for tracking your progress to safety. Simply click on the "WannaCry/Petya Exposure" report under "Software Reports" to view your exposure.
Good luck and stay safe - and patched - out there!