First of all, I find it interesting that they chose the name for their effort “CyWatch”. My company is called “CyVision”. The distinction is that they are responding to incidents after the fact when we are proactively preventing them. The difference here is that they are basically “watching” what already happened, when we are pro-actively preventing them from happening in the first place. But don’t get me started on the FBI.
In any case this particular effort is a good one, because it helps them to at least coordinate a response and hopefully prevent the spread to more people and most importantly, our critical infrastructure. So if you can help with this, please do. As always, it’s better to prevent this stuff from happening in the first place so I want to remind you that the National Institute of Science and Technology (NIST), who is THE government authority on Cybersecurity and whose frameworks and directives are mandated to be used by the Federal Government, including the FBI, has granted an exclusive license to our Cauldron™ technology to determine network safety against unknown attacks (zero-day attacks, like Petya and WannaCry and EternalBlue) to CyVision over a year ago – March, 2016, before all of this happened. It’s always better to be more than one step ahead of the FBI. Over a year is pretty good.
Okay, it’s not news anymore that the new ransomware “Petya” employs the same EternalBlue exploit used by WannaCry ransomware. EternalBlue was the NSA hacking tool that was leaked by an NSA insider to Wikileaks in April by the “Shadow Brokers” (The NSA is another story in the Alphabet Soup theatrics). Petya spreads quickly and rapidly infects additional connected systems which can affect the community at large in a worst case scenario.
Hopefully, everyone has already applied the Microsoft patch for the MS17-010 SMB vulnerability which was published on March 14, 2017. If you were diligent about that, no worries from this Ransomware variant. Incidentally, this Petya ransomware was first discovered in 2016 and operated atypically from previous known ransomware variants by overwriting the Master Boot Record (MBR), not just your files. That effectively turned your computer into a brick until you could rewrite the MBR from a clone or an original install. In any case it’s a huge hassle and a lot of stuff will still be lost with a generally devastating effect on you or your business.
The FBI is taking this very seriously with Alert Number: MI-000082-MW, “WE NEED YOUR HELP!”
If you find any of indicators of Ransomware, in particular the new Petya variant on your networks, or have related information, please contact FBI CYWATCH immediately:.
Email: [email protected]
When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.
Note: By reporting any related information to FBI CyWatch, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.
I’m publishing the following, which I have posted here on TLS and elsewhere so many times, to help everyone out. The truth is, you can only help yourself with this stuff by being proactive and not waiting for the storm to hit. It will. Be prepared. I have to say, if you have radar like CyVision in the first place, you won’t need a government issued pair of glasses from the FBI like CyWatch. Again, that’s all up to you. You can prevent what could and most likely will happen, instead of wondering, “What just happened?”
Recommended Steps for Prevention:
Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed.
Those with a need for administrator accounts should only use them when necessary.
Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should
not have write access to those files, directories, or shares.
Disable macro scripts from Microsoft Office files transmitted via e-mail. Use Office
Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering schemes.
Have regular penetration tests run against the network no less than once a year and, ideally, as often as possible/practical. (Automate it with CyVision!)
Test your backups to ensure they work correctly upon use. This is huge. Do you know for sure that you can restore your systems?
Recommended Steps for Remediation:
Call in a reputable expert as soon as possible to assess and remediate vulnerabilities.
Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs. Field office contacts can be identified at www.fbi.gov/contact-us/field
Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
Defending Against Ransomware Generally:
Ensure anti-virus software is up to date.
Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
Only download software, especially free software, from sites you know and trust. BTW, even Google Play Store apps can be and have been and likely are contaminated.
Enable automated patches for your operating system and Web browser.
CyVision Technologies, Inc