Interview
with Scott
Manson, Cyber Security Leader for Middle East and Turkey, Cisco
Introduction:
Cisco’s security research organization Talos’ initial analysis of the
global ransomware worm attack that has affected multiple organizations
worldwide points to the attack starting in the Ukraine, possibly from software
update systems for a Ukrainian tax accounting package called MeDoc. This appears
to have been confirmed by MeDoc itself. MeDoc is a
widely used tax software used by many organizations in or doing business with
Ukraine. There have been other reports of this attack appearing in France,
Denmark, Spain, the UK, Russia and the US.
Once this ransomware enters your system, it uses three ways to spread automatically around a network, one of which is the known Eternal Blue vulnerability, similar to how last month’s WannaCry attack unfolded.
What’s clear from this, and recent attacks, is that organizations must
prioritize patching systems to lower their risk profile. We have to patch as
quickly as we can. In addition, making back-ups of key data is a fundamental of
any security program.
What can you tell us about the
attack?
·
Today we saw our second ever ransomware worm,
coming on the heels of WannaCry last month
·
This ransomware outbreak has affected
multiple organisations in several countries today, Cisco’s security research
organisation Talos is actively investigating this new malware variant.
·
This new ransomware variant encrypts the
master boot record (MBR) of a system. Think of the MBR as the table of contents
for your hard drive – clearly very important.
·
Talos’ initial
analysis points to the attack starting in the Ukraine, possibly from software
update systems for a Ukrainian tax accounting package called MeDoc.
·
This appears to have been confirmed by MeDoc itself. MeDoc is a widely used tax software
used by many organisations in or doing business with Ukraine. There have been
other reports of this attack appearing in France, Denmark, Spain, the UK,
Russia and the US.
·
Once this ransomware enters your system, it
uses three ways to spread automatically around a network, one of which is the
known Eternal Blue vulnerability, similar to how last
month’s WannaCry attack unfolded.
What is ransomware?
- A type of malware that
locks down your computer/system and takes control/encrypts your data and
demands a ransom
What is bitcoin?
- A crypto currency used
online
- Bitcoin is not
controlled by any one government or state
- Because it allows for
anonymity, it is ideal for attackers
Do we
know what organisations were impacted?
- Reported
victims so far include Ukrainian infrastructure like power companies,
airports, public transit, and the central bank, as well as Danish shipping
company Maersk, pharmaceutical company Merck, the Russian oil giant Rosnoft,
and institutions in India, Spain, France, the United Kingdom, and beyond.
How did this attack start?
- Cisco’s
security research organization Talos’ initial analysis points to the
attack starting in the Ukraine, possibly from software update systems for a
Ukrainian tax accounting package called MeDoc. This appears to have been
confirmed by MeDoc itself. MeDoc is a widely used tax software used by
many organizations in or doing business with Ukraine.
How is it spreading?
- Once
this ransomware enters your system, it uses three ways to spread
automatically around a network, one of which is the known Eternal Blue
vulnerability, similar to how last month’s WannaCry attack unfolded.
How is this different to
WannaCry? Is there a ‘killswitch’ for this attack?
- This ransomware doesn't seem to
incorporate the errors that hindered WannaCry from spreading.
Specifically, this attack doesn't seem to have a kill switch function. It
is also harder to detect since it moves within a network. It is not
scanning of the internet like WannaCry did.
Who is responsible for this
attack?
- Attribution
is difficult in attacks like this
- Cisco is
focused on understanding the attack and protecting our customers
What is Cisco’s recommendation for customers to protect against this?
·
Ensure
your organisation is running an actively supported operating system that
receives security updates.
·
Have
effective patch management that deploys security updates to endpoints and other
critical parts of your infrastructure in a timely manner
·
Run
anti-malware software on your system and ensure you regularly receive malware
signature updates
·
Implement
a disaster recovery plan that includes backing up and restoring data from
devices that are kept offline. Adversaries frequently target backup mechanisms to
limit the possibilities a user may be able to restore their files without
paying the ransom.
·
If vulnerabilities aren’t patched, an
organisation will continue to be at risk for infection by this ransomware.