The "Goldeneye" or "Petya" ransomware attack is spreading across Europe and the United States and exploits the same vulnerability as WannaCry (the recommendations we made in the initial SE Alert still apply).
What’s different about this attack is that it has a second method of infecting networks. This method attacks networks via a compromised Microsoft Office or PDF attachment. Here are some good practices to follow when dealing with an attack such as this:
- Do not open emails from unknown or unexpected senders.
- Do not open attachments or click on links in emails you were not expecting.
- Do not click on the “Enable Content” when you open an Microsoft Office document unless you are familiar with the document and trust the source.
Additionally, it’s been reported that paying the ransom will not work to unencrypt your files should you get infected. The attacker(s) used an email address to confirm payment and the German ISP has shut down their email account.
If you still have Windows XP or Server 2003 running within your network, you will be at a higher risk of infection. While Systems Engineering no longer supports these operating systems (often they are required due to legacy applications), we recommend you segment them off your primary network to the fullest extent possible.
Should additional information come out about this attack, we will post an update here.
Update Thursday, July 29, 2017:
More information is now available about how this attack was carried out. Articles in The Verge and The Guardian now point to a tax software company in Ukraine as ground zero. It now appears that ransomware was just a distraction to throw off investigators - the real target was Ukraine and large corporations within.
The attack began by compromising the software update server at the tax software company; it was then that the malware was pushed to all of their customers. The malware then spread across those networks and started to send the SPAM with the ransomware. Researchers now believe this was an attack using weaponized malware by a Nation State.
This is a fascinating story to follow but, it does not let anyone off the hook. Even though Ukraine and large corporations were the target of this attack, it continues to show the utility bad actors find in Ransomware, whether for financial gain or widespread disruption. So, we all need to be as vigilant as ever in securing our networks and developing good security habits.
If you have questions, please call 888.624.6737 or email firstname.lastname@example.org. If you are a current client, contact your Account Manager.