Companies across the globe have been struck by a second major ransomware attack in as many months. The malware responsible closely resembles Petya, but Kaspersky Lab says that it is “a new ransomware that has not been seen before”. As a result, many security researchers have dubbed it NotPetya.
So far, NotPetya has infected firms across the world, including advertising firm WPP, food company Mondelez, legal firm DLP Piper, and Danish shipping and transport firm Maersk. Ukraine appears to be the hardest hit country, with banks, power companies and Kiev’s main airport all being hit.
What is Petya/NotPetya?
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Windows operating systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, and demanding a bitcoin payment in order to regain access to the system.
Variants of Petya were identified in May last year, and propagated via infected email attachments. The NotPetya variant first appeared on 27 June this year, and takes advantage of the same Microsoft Windows vulnerability that was exploited by WannaCry.
How does it differ from WannaCry?
As with WannaCry, NotPetya has a wormable component that allows it to spread laterally around connected networks. However, its method differs from WannaCry in a number of ways. It uses a payload that infects the computer’s master boot record, overwriting the Windows bootloader, which then triggers a restart. When the computer reboots, the payload is executed – it encrypts the master file table (MFT) of the NTFS file system, and then displays the ransomware message. While this is happening, a simulation of the output of CHKDSK, the Windows file system scanner, is displayed on-screen, suggesting that the hard drive is actually being repaired.
According to Nick Bilogorskiy, senior director of threat operations at Cyphort, NotPetya also differs from WannaCry in that:
- NotPetya is initially distributed over email – specifically, a malicious link sent from an unknown address.
- NotPetya does not try to encrypt individual files. Instead, it encrypts the master file table.
- It has a fake Microsoft digital signature appended, copied from Sysinternals.
- NotPetya also appears to be able to spread laterally using Windows Management Instrumentation (WMI).
- Some payloads include a variant of Loki Bot, a piece of malware designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from web browsers, and a variety of cryptocurrency wallets.
Who is being targeted?
The short answer is ‘everyone’, from individuals to organisations. However, companies with valuable assets and a public reputation to protect represent high-value targets, often attracting the most sophisticated attacks.
How to protect yourself
There are a number of steps you can take to reduce the chances of falling victim:
- If you use Windows, install the patch Microsoft released to block the vulnerability that both WannaCry and NotPetya exploit.
- Update your antivirus software definitions. Most antivirus vendors have now added a detection capability to block WannaCry.
- Back up regularly, and make sure you have offline backups. That way, if you are infected by ransomware, your backups won’t be encrypted.
- Organisations should also be monitoring their logs closely for suspicious activity across firewalls and antivirus software.
What should you do if you’re infected?
NotPetya infects computers and then waits about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted, and then try to rescue the files from the machine.
If the system reboots with a ransom note, don’t pay the ransom. We always give this advice in the event of a ransomware infection, and in this case the criminal’s ‘customer service’ email address has been shut down, so there’s no way to get the decryption key anyway.
Instead, you should disconnect your computer from the Internet, reformat the hard drive, and reinstall your files from a backup.
IT Governance offers a range of solutions to help prevent you from falling victim to ransomware attacks and to enable you to implement the best possible security solutions for your budget and requirements.
A full list of the services we offer to help you combat the threat of ransomware can be found on our dedicated information page.