PETYA : RANSOMWARE, OR SOMETHING WORSE?

Petya: Ransomware, or Something Worse?

If your organization has not been hit by Petya malware, you could be next. Petya, originally identified as ransomware, which locks organizations out of their own files and data with the aim of extorting a ransom, now appears to be either a disruptive attack on infrastructure or an attack that installs malware camouflaged to look like ransomware. Regardless of the final intent, Petya attacks begin and are most evident as ransomware.

Now a global epidemic, ransomware attacks targeting companies have escalated 300% since January 2016; attacks are occurring every 40 seconds. Check Point’s H2 2016 Global Threat Intelligence Trends showed that ransomware attacks doubled during the period July – December.

Here are some of the recent high-profile victims of Petya ransomware:

  • UKRAINE: Banks, airports, government offices, power grid including the monitoring system at Chernobyl

  • RUSSIA: Banks, an oil company, a steelmaker and notably Russia's state-run Rosneft energy company 

  • FRANCE: Saint-Gobain, a French construction-materials company

  • UK: WPP, the world's largest advertising company

  • Germany: Deutsche Post and wholesale retailer Metro

  • DENMARK: A.P Maersk, a global shipping company 

Check Point’s recent ransomware defense survey found that 36% of respondents said they had been a victim of ransomware, causing problems including system downtime, loss of productivity and data loss. Petya and the recent WannaCry ransomware are examples of the development and introduction of a new generation of stealthy ransomware variants, which are purpose-made to evade detection by conventional defences using new attack techniques. Furthermore we are seeing increasing levels of sophistication with ‘file-less’ variants of ransomware that utilise admin tools such as PowerShell to evade detection. These advances leave many organizations dangerously exposed to new and emerging types of ransomware.

In this document, we will examine the current, conventional approaches to ransomware prevention and the shortcomings of these traditional methods against new, zero-day variants. Then we will look at a new approach to detecting, blocking and mitigating the impact of even newly minted, unknown ransomware variants, to better protect your organization’s assets and minimize damage and disruption.

Conventional Ransomware Prevention

The risk of ransomware penetration by itself or in conjunction with other malware can be reduced by implementing several conventional best practices. These can be split into two categories, general good practice and security best practice; these baseline protections are strongly recommended to any organization.

GENERAL GOOD PRACTICE

  •  Education: Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defenses an organization can deploy.
  • Continuous data backups: Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.

  • Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.

SECURITY BEST PRACTICE

  • Endpoint protections: Conventional signature-based anti-virus is a highly efficient solution for preventing known attacks and should definitely be implemented in any organization, as it protects against a majority of the malware attacks an organization faces.

  • Network protections: Advanced protections in the enterprise network such as IPS, Network Anti-Virus and Anti- Bot are also crucial and efficient in preventing known attacks. Advanced technologies such as sandboxing have the capability to analyze new, unknown malware, execute it in real time, look for signs that it is malicious code and as a result block it and prevent it from infecting endpoints and spreading to other locations in the organization. As such, sandboxing is an important prevention mechanism that can protect against evasive or zero-day malware, and defend against many types of unknown attacks on the organization.

Analyzing the Gaps in Traditional Prevention Techniques

Unfortunately, despite the importance of conventional ransomware prevention best practices, even implementing them all does not guarantee protection. Many organizations that deployed some, or even all, of those best practices have fallen victim to ransomware mainly due to coverage gaps such as roaming users, removable media, failing to inspect SSL connections and usage of encrypted media. Let’s take a look at the shortcomings of these approaches in turn to understand why.

  • While education is critical, it lacks enforcement capabilities. Employees are only human, they make mistakes and they can be manipulated by fairly simple social engineering methods, even when educated about potentially malicious emails. All it takes is a moment’s inattention from a user, and an attack can be triggered.

  • While backups are critical to recovering after a ransomware attack, they can fail at the moment of truth. The
    backup may not always be up to date and the process to restore the files from the repository can be long and tedious – introducing delays and loss of productivity while data is being restored. New generations of ransomware are
    also specifically targeting backups and try to encrypt or delete them to maximize the ability to collect a ransom.
    In addition, backing up central file servers may be a relatively easy task but backing up all of the organization’s endpoints is much more challenging: a great deal of valuable data is actually distributed on endpoint machines, and may not be regularly copied to a central data repository.

  • While regularly patching systems goes a long way to reducing the number of potential exploits, many operating systems and application security vulnerabilities are being discovered every day. The OS and application vendors are releasing patches and updates to fix those vulnerabilities but many times users are failing to install those in a timely manner. Moreover, when those patches are released, attackers are made aware of those vulnerabilities and deliberately exploit those systems that are yet to be patched. And while organizations should strive to have their systems 100% patched, in real life there will always be a gap between the release of the patch and its deployment. This time window is the attackers chance to attack. This time window is the attackers' chance to attack.

  • For all the protection that endpoint signature-based defenses provide, they are easily bypassed by obfuscated malware and ransomware and are highly dependent on regular updates. Despite blocking many basic attacks, AV solutions are bypassed every day by advanced attacks.

  • While they are a crucial component of an organization’s defenses, network-based protections, such as sandboxes, can only beneficial when users are connected to the network, and can also be occasionally evaded by malwares using sophisticated evasion techniques.

With ransomware becoming ever more sophisticated and only requiring a single weakness in an organization’s defenses to take hold of the IT infrastructure, these gaps clearly need to be closed. Ransomware protection needs a new approach to prevent more businesses from suffering the disruption and damage of rapidly proliferating attacks like Petya.

Taking Ransomware and Malware Head-On

Ransomware has a lot in common with other malware: It infiltrates an organization through email attachments, web downloads or removable media, uses social engineering tricks, and leverages vulnerability exploitation tactics to gain a foothold on its target systems.

But ransomware also has unique characteristics. As the SANS Institute pointed out in its 2016 Incident Response survey, ransomware attacks highlights the need for rapid response, with minimum delay. With other types of malware, the criminals’ objective is stay hidden from detection for as long as possible to enable lateral movement on the target network over periods of days or weeks.

In contrast, the objective of a ransomware attack is to quickly prevent users’ access to files, and then encrypt as many files as possible, in the shortest possible time. The faster that ransomware can infect and spread through the target network, the greater the chance that the organization will agree to pay the ransom.

So an effective anti-ransomware solution has to be able to detect the earliest possible signs of infection and indicators of compromise, and then block the infection at source (whether on the endpoint or on the corporate network) before it can start to spread.

Check Point’s malware analysis and threat research teams thoroughly studied thousands of real-world ransomware variants, from hundreds of different ransomware families, all collected in the wild with a simple goal in mind: to understand their fundamental characteristics, such as deleting shadow copies, preparing and displaying ransom notes, the dynamics of file encryption and many more. Building on this understanding, we have defined and developed a dedicated solution that tackles ransomware head-on.

Here are the underlying principles of the solution:

  • Implemented on the endpoint: The endpoint – whether a desktop, laptop or server – is the first target in ransomware attacks. By compromising a single endpoint, the ransomware can spread to network shares, online backups and other resources. Also, as mentioned earlier, the endpoint is often where valuable user data resides. So it is critical that the anti-ransomware solution protects the endpoint itself, to identify the first indicators of compromise and block the spread of ransomware.
  •  Built on behavior analysis: Many new ransomware variants found in the wild have not yet been classified. No signatures have been developed or published for them. These variants can bypass signature-based methods of detection and may not even be detected by sandboxing due to various anti-sandbox evasion techniques such as virtual machine detection, delayed execution and human behavior sensors. However, those evasions will not be used on the target system, hence, the endpoint, as this is where attack should run. Code that is suspected of being ransomware should be detected and blocked by tracing its steps in runtime and by looking for signs of suspicious behavior.
  • Can remediate attacks: It is never enough to merely detect and deliver an alert about an attack or infection attempt – ransomware is designed to operate quickly, and could encrypt thousands of files before the alert is noticed and acted on. The anti-ransomware solution should have the capability to detect the attack at the earliest possible stage, ideally before any files are encrypted, completely remove all elements of the infection and remediate the attack.

  • Restores encrypted data: Although the behavioral analysis capability is capable of detecting ransomware attacks at a very early stage, as more sophisticated and complex attacks are developed, detection may well take more time. During that time, ransomware may already begin encrypting a number of files on the machine it first infects. The optimal solution should be able to automatically restore any encrypted data and “roll back” the infection to the exact status the endpoint was before it.

  • Connectivity independent: When dealing with ransomware, it is not safe to assume that the endpoint device will be connected to the corporate network. The optimal anti-ransomware solution should work effectively in the very likely event that the endpoint is not connected to the network, which means that it cannot use a sandbox inspection and is not receiving regular updates from a centralized threat intelligence feed.

How Check Point Anti-Ransomware Works

SandBlast Anti-Ransomware protects organizations against all types of ransomware attacks, not only blocking infections at the first contact, but also quickly remediating their actions.

The Anti-Ransomware technology utilizes an advanced security engine and algorithms to automatically detect, block and remove the most sophisticated and evasive ransomware infections. By using predictive behavior-based technologies which do not rely on signature updates, Anti-Ransomware is able to identify and remediate zero-day ransomware, and to restore any data or files encrypted during an attack almost immediately, minimizing business disruption.

Anti-Ransomware utilizes a multi-layered architecture to provide a comprehensive solution in the fight against ransomware:

 
 

Anti-Ransomware Effectiveness

Using cutting-edge research and dedicated advanced technology is obviously a must in order to combat modern sophisticated ransomware. But how effective is the final product? Answering this question requires constant and rigorous testing with an ongoing stream of current real world ransomware samples.

Anti-Ransomware technology is being rigorously tested in Check Point daily against a continually-updated, extensive range of fresh, real-world ransomware samples found in the wild.

We have devised the following methodology in order to continuously validate the effectiveness of our anti-ransomware solution. Each day, a set of new ransomware samples are gathered from the Internet, and are executed in our research laboratory on a virtualized endpoint that imitates a typical end-user’s physical PC. The only security technology installed and activated on this endpoint is Check Point’s Anti-Ransomware technology; all other endpoint and network security technologies (such as firewalling, IPS, anti-virus, anti-bot, threat emulation, etc.) are disabled. We monitor the malware’s execution to see whether our Anti-Ransomware technology was able to detect the infection and quarantine it before it could start encrypting files. If the ransomware was an advanced, sophisticated variant that was able to start encrypting files before it was identified and blocked, we check that the solution was able to successfully restore the encrypted files to their original state.

Using this process, we test an average of 250 ransomware samples daily. During the 6 months since we started testing, the malware catch rate has exceeded 99%, and is improving every day as the behavioral analysis detection engine is enhanced based on testing. In addition, the false positive rate we are seeing is negligible when compared to the impact of an undetected ransomware attack on the organization and also in terms of the impact of everyday operation on the organization. In real life scenarios, where the security protections that were disabled for this testing would have been enabled, the catch rate will be even higher, reaching as close as you can get to full protection.

Summary

Ransomware like Petya is evolving into increasingly dangerous forms that are a major threat to businesses around the world. The inability to effectively counter ransomware attacks can cause significant losses and major disruptions to organizations. Implementing conventional best-practices and anti-malware protections can defend against some well- known, older variants of ransomware, but given the sophistication and ongoing evolution of modern ransomware, are not enough on their own to identify and block new, zero-day attacks.

Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data ensuring business continuity and productivity. The effectiveness of this technology is being verified every day by our research team, and consistently demonstrating excellent results in identifying and mitigating attacks.

SandBlast Agent, Check Point’s leading endpoint prevention and response product, includes Anti-Ransomware technology and provides protection to web browsers and endpoints, leveraging Check Point’s industry-leading network protections. SandBlast Agent delivers complete, real-time threat prevention and remediation across all malware threat vectors, enabling employees to work safely no matter where they are, without compromising on productivity.

To learn more about threat prevention and how Check Point Anti-Ransomware, SandBlast Zero-Day Protection and SandBlast Agent can help protect your company against ransomware, please visit our website at www.checkpoint.com/sandblast.

Frequently Asked Questions on Anti-Ransomware

Our AV has successfully stopped ransomware previously, why do I need Anti-Ransomware?

Traditional AV can be effective in detecting attacks by known ransomware. However, ransomware is constantly evolving, mutating and incorporating new evasion tricks. Many ransomware attacks are capable of evading AV detection, as evident by the numerous infections suffered by businesses globally – virtually all of which are utilizing conventional
AV solutions. Moreover, signature-less and behavioral-analysis based Anti-Ransomware can automatically recover encrypted files from infected users’ endpoints, even if those machines are offline.

If I use Anti-Ransomware, do I still need my endpoint AV?

We recommend using endpoint AV on all endpoints – it is still an important part of an effective, multi-layered approach to security, and it is still an effective means for preventing basic malware attacks that are still very prevalent. SandBlast Agent can be deployed alongside any third party AV solution, or as a single unified product with Check Point Anti- Malware or with Check Point’s full endpoint suite for an integrated solution with a single agent and management.

How much storage is required for Anti-Ransomware’s file snapshots?

We recommend allocating 1GB of storage for file snapshots. The storage capacity can be custom-configured by the customer.

Do I still need my conventional backups if I use the Anti-Ransomware feature?

Yes. Anti-Ransomware focuses only on recovering data and files that have been encrypted by ransomware in the first stages of infection, not on general purpose backup. In order to ensure data recovery in the event of other situations, such as disk failure, a conventional backup is always highly recommended.

How are file snapshots protected?

File snapshots are protected by the SandBlast Agent self-protection kernel driver, which prevents any attempt to access the data by processes that are not part of SandBlast Agent and signed by Check Point.

What is an IT organization required to do when Anti-Ransomware detects an event?

An IT organization is usually not required to be involved when Anti Ransomware treats an incident. Anti-Ransomware automatically recovers files affected by the attack. It keeps user notified at all steps. The self-service interactive process enables users to independently review and restore files.

Share to:

VIRTUS PARTNER ACADEMY

Virtus newest benefit program for Business Partners. Virtus Partner Academy is an online IT training course with a comprehensive curriculum that can be accessed at any time and from any location.

SPEND MORE GET MORE

VIRTUS INCENTIVE PROGRAM

for Business Partner

Privacy Policy

  1. Privacy Policy – PT Virtus Technology Indonesia 

At PT Virtus Technology Indonesia, ensuring the privacy and security of your information is of utmost importance to us. As you navigate through our website, Virtus Technology Indonesia, collectively referred to as this “Website”, we strive to create a safe and trustworthy environment for all users. 

This Privacy Policy establishes the terms governing your use of our website between you (“you” or “your”) and PT Virtus Technology Indonesia. By accessing our website, you acknowledge that you have reviewed, understood, and consent to be bound by this Privacy Policy. 

  1. Information We Collect 

When utilizing or engaging with our Website, we may gather or receive various types of information, collectively referred to as “Information”, including but not limited to: 

  • “Personal Information,” such as your name, email, contact details, or any other personal content provided to us via forms on our website or other means of communication (e.g., email, phone, mail, etc.). 
  • “Technical Information,” such as browser type, operating system, device type, IP address, and similar technical data typically obtained automatically from browsers or devices when interacting with our Website. This may also encompass the referring URL that directed you to our website. 
  • “Usage Information,” such as the pages visited on our website, click activity, searches conducted, and other related data on how you have utilized our website. This category may also encompass details regarding your interaction with emails, including whether you opened, clicked on links, or received them. 

      We acknowledge that certain Technical Information or Usage Information may be considered personal data, either independently or when combined with other data, under various laws and jurisdictions. We are committed in handling such data in accordance with applicable laws and regulations. 

      1. The Methods We Use to Collect and Receive Information 

      Depending on the type of Information, we collect or receive it through various channels, including but not limited to the following conditions: 

      • When you voluntarily share Information with us. For instance, when you subscribe to our newsletter or fill out our online form to request contact.  
      • By using cookies and similar technologies. These technologies help us analyze how our Website is utilized and tailor content that is pertinent to you. They also assist in delivering more relevant advertisements on our own or third-party sites. 
      • Information obtained from third-party sources. This encompasses Information acquired through various business support tools and services we utilize, such as Website, analytics services, etc., as well as public sources like social media sites. We may merge the Information from these sources with other data we possess to maintain updated records and provide you with pertinent content. 
          1. The Purposes 

          We utilize Information for the following purposes: 

          • Processing your inquiries and responding to your requests, such as when you reach out to learn more about our products or services. 
          • Sending you information related to our services and products that we believe may be of interest to you, such as an invitation to our upcoming events, follow-up by WhatsApp blast and/or call, newsletters, or updates on products and services. These communications are sent to you either based on your explicit consent or when we have a legitimate interest in marketing our products and services. You always have the option to opt out of receiving invitation, newsletters, and/or updates on products and services. 
          • Understanding how you interact with our Website and tailoring it to align with your interests, past actions, and preferences. We do this to enhance our Website, diagnose any issues, and improve your experience while navigating through them. 
          • Preventing fraud or harm to us or any third party, and ensuring the security of our network and services, which is in our legitimate interest. 
          • Complying with our legal obligations and exercising and enforcing our legal rights as necessary for PT Virtus Technology Indonesia. 
          • Utilizing certain third-party marketing and advertising networks to assist in marketing our products on our website and third-party Website. 
            1. Who We Share Information With 

            To facilitate our business operations and the functioning of our Website, we may disclose Information to various third parties, including: 

            • Our global branches and subsidiary companies. 
            • Third-party service providers aiding in the operation of our Website, such as hosting companies, recruitment platforms and agencies, payment processors, business management, and email distribution service providers, and similar service providers. These entities are authorized to use your personal information solely to provide these services to us. 
            • When compelled by law, such as to comply with court orders, search warrants, regulatory orders, subpoenas, and other lawful requests from public authorities, including those for national security or law enforcement purposes. 
            • Legal authorities, consultants, advisors, or service providers required to investigate, respond to, or prevent fraud, or to ensure the security of our network and services and safeguard the well-being of PT Virtus Technology Indonesia
            • In the event of a merger and/or acquisition involving PT Virtus Technology Indonesia, Information may be transferred to the merging or acquiring entity, as well as to any advisors representing parties involved in discussions related to such merger or acquisition. 
            • Principal, resellers, partners, sponsors, or service providers acting on our behalf in conjunction with the offering of PT Virtus Technology Indonesia’s products or services. 
            • Third-party marketing and advertising networks assisting in the promotion of our products on our Website and on third-party websites, such as Google for remarketing ads across the Internet. 
            • PT Virtus Technology Indonesia may also disclose general aggregate and anonymized information (e.g., statistical data) pertaining to the use of its Website. 
                1. Cross Border Data Transfers 

                • We may need to transfer Information to countries where we and/or our service providers operate. These countries may have different data protection laws compared to the country where the data originated, potentially offering different levels of protection. By using our Website, you consent to such transfers. In cases where applicable to the services provided, we will establish agreements with our service providers to ensure a level of privacy consistent with the terms of this policy. 
                • Regarding the collection, use, and retention of personal information transferred from Indonesia, please note that PT Virtus Technology Indonesia remains compliant with all relevant laws concerning such transfers.
                1. Protecting Your Information 

                We aim to uphold top-tier security standards throughout our business operations. We have adopted suitable technical and organizational safeguards aligned with industry best practices. These safeguards are devised to prevent unauthorized access or unlawful handling of Personal Information and to mitigate the risk of accidental loss, destruction, or damage of such information. As part of these efforts, we have instituted several policies and procedures to guide us, covering aspects such as asset management, access control, physical security, personnel security, product security, cloud and network infrastructure security, third-party security, vulnerability management, security monitoring, and incident response. 

                1. Information Storage and Retention 

                We may store Information on both our own servers and those managed by third-party data hosting providers. As explained in Section 5 above (Cross Border Transfers), these servers may be situated globally. We will retain your Personal Information only for as long as necessary to fulfil the collection’s intended purpose. Additionally, we may retain your Personal Information for the duration required to pursue our legitimate business interests, address any legal claims, and ensure compliance with legal obligations. In instances where we utilize your information for direct marketing, we will retain your data until you choose to opt-out of receiving marketing materials; however, certain information may need to be retained to maintain a record of your request.  

                1. Modifications to This Policy 

                PT Virtus Technology Indonesia reserves the right to amend this Privacy Policy at any time. In the event of a significant change, we will provide notice on this page and/or adjacent to the link leading to this page. These updates will become effective immediately for new Information collected or provided from the date of the update, and within thirty (30) days for any Information collected or provided to PT Virtus Technology Indonesia prior to the update. If you do not agree to the terms of the revised policy, please contact our Legal Department using the contact details provided in Section 11 below. We encourage you to periodically review this page for any updates.  

                1. Your Choices 

                We offer you various options regarding the use of Information in relation to: (i) our marketing activities; and (ii) our utilization of cookies and similar technologies for interest-based advertising and website usage analysis 

                1. a. You can choose to discontinue receiving our newsletter or marketing emails by following the unsubscribe instructions included in these emails, adjusting email preferences in your account settings page, or contacting us through PT Virtus Technology Indonesia.

                1. b. Moreover, the laws in some jurisdictions may grant you various rights concerning our processing of certain Information. These rights may include:

                  i. The right to withdraw previously provided consent; 

                  ii. The right to access specific information about you that we process; 

                  iii. The right to rectify or update any Personal Information; 

                  iv. The right to request the erasure of certain Information; 

                  v. The right to temporarily suspend our processing of certain Information; 

                  vi. The right to receive Information in a common machine-readable format; 

                  vii. The right to object to our processing of Information for direct marketing purposes or when we rely on legitimate interests as the lawful basis for processing your information; and 

                  viii. The right to file a complaint with the relevant data protection authority. 


                  We will address your requests promptly. Please note that these rights may be subject to limitations under applicable law. For further information on these rights or to exercise them, please contact PT Virtus Technology Indonesia at: legal@computradetech.com

                1. Social Media and Third-Party Services 

                Our Website may include a blog with a ‘comments’ section and several social media features, such as a ‘share’ button or links to third-party websites and services like Facebook, X, YouTube, LinkedIn, and Instagram. When utilizing these features, certain information may be gathered by these third parties, such as your IP address or the specific page you are visiting on our website. Additionally, these third parties may set cookies to ensure the proper functioning of the features. Any data collected by these third parties is subject to their respective privacy policies. We encourage you to thoroughly review the privacy policies of these third parties. 

                1. Contacting Us 

                If you have any questions or concerns regarding this Website Privacy Policy, the information we collect, PT Virtus Technology Indonesia‘s practices, or your interactions with the Website, please feel free to contact us. You can reach us via email at legal@computradetech.com or by physical mail addressed to: PT Virtus Technology Indonesia (Centennial Tower 12th Floor, Jl. Jend. Gatot Subroto Kav. 24-25, Jakarta – 12930, (021-80622288).