While the cyber security community is still working to understand the latest ExPetr ransomware attack that has reportedly hit 60 countries, there are key lessons to be learned – these can be seen as:

1. Having the latest versions of software and ensuring they are patched up to date will go a long way in reducing organisations’ vulnerability to cyber-attack.
2. An appropriate and well-tested backup and recovery plan for critical systems and data will go a long way to mitigating the effects of ransomware and other malware attacks, regardless of its particular characteristics.
3. Malware is increasingly using legitimate tools for malicious activity to go undetected.
   1. In the case of ExPetr, two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec were used.
   2. According to risk management firm Kroll, while the use of these and other “non-malicious” tools by intruders to quietly move within networks is not new, their use in such a widespread and automated attack is novel.
   3. This knowledge underscores the value of implementing modern threat detection and response systems and using trained staff or trusted external partners to identify and contain this type of attack, Kroll said in its latest advice to customers.
4. Malware is hijacking software updating mechanisms to spread malware, and is likely to use this technique increasingly in future.
   1. Microsoft has confirmed that in some cases ExPetr hijacked the auto update facility of the M.E.Doc tax accounting software that is widely used in Ukraine, which is why the country was particularly hard hit.
   2. In the light of this fact, organisations should recognise the very real risk posed by third parties, such as software suppliers and service providers.
   3. At a minimum, Kroll advises organisations to review all supplier risk management processes and institute controls that mitigate potential vulnerabilities.
   4. In October of 2016, Forcepoint Security Labs warned of rogue software updates being delivered by automated software update mechanisms in its Freeman Report, which documented the dangers of a rogue software update to a legitimate code analysis tool.
   5. Forcepoint recommends that organisations vet third-parties who deliver software updates into their environment and that they seek to understand what unsupported or so-called abandoned software (abandonware) may still be running and accepting updates.
   6. However, multiple PDF and Word attachment samples have been collected, which highlights the likelihood of malware using multiple propagation techniques and the importance of organisations ensuring they have systems in place to detect malicious email attachments.
5. Malware is abusing security tools to discover usernames and passwords, which means organisations should ensure they have appropriate systems and procedures in place to prevent credential abuse.
   1. ExPetr uses the publicly available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users to spread itself on local networks.