Companies across the globe have been struck by a second major ransomware attack in as many months. The malware responsible closely resembles Petya, but Kaspersky Lab says that it is “a new ransomware that has not been seen before”. As a result, many security researchers have dubbed it NotPetya.
So far, NotPetya has infected firms across the US and Europe, including advertising firm WPP, food company Mondelez, legal firm DLP Piper, and Danish shipping and transport firm Maersk. Ukraine appears to be the hardest hit country, with banks, power companies, and Kiev’s main airport all being hit.
What is Petya/NotPetya?
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Windows operating systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, and demanding a bitcoin payment equivalent of $300 in order to regain access to the system.
Variants of Petya were identified in May last year, and propagated via infected email attachments. The NotPetya variant first appeared on June 27 this year, and takes advantage of the same Microsoft Windows vulnerability that was exploited by WannaCry.
How does it differ from WannaCry?
As with WannaCry, NotPetya has a wormable component that allows it to spread laterally around connected networks. However, its method differs from WannaCry in a number of ways. It uses a payload that infects the computer’s master boot record, overwriting the Windows bootloader, which then triggers a restart. When the computer reboots, the payload is executed – it encrypts the master file table (MFT) of the NTFS file system, and then displays the ransomware message. While this is happening, a simulation of the output of CHKDSK, the Windows file system scanner, is displayed on-screen, suggesting that the hard drive is actually being repaired.
According to Nick Bilogorskiy, senior director of threat operations at Cyphort, NotPetya also differs from WannaCry in that:
- NotPetya is initially distributed over email – specifically, a malicious link sent from an unknown address.
- NotPetya does not try to encrypt individual files. Instead, it encrypts the master file table.
- It has a fake Microsoft digital signature appended, copied from Sysinternals.
- NotPetya also appears to be able to spread laterally using Windows Management Instrumentation (WMI).
- Some payloads include a variant of Loki Bot, a piece of malware designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from web browsers, and a variety of cryptocurrency wallets.
Who is being targeted?
The short answer is ‘everyone’, from individuals to organizations. However, companies with valuable assets and a public reputation to protect represent high-value targets, often attracting the most sophisticated attacks.
How to protect yourself
There are a number of steps you can take to reduce the chances of falling victim:
- If you use Windows, install the patch Microsoft released to block the vulnerability that both WannaCry and NotPetya exploit.
- Update your antivirus software definitions. Most antivirus vendors have now added a detection capability to block WannaCry.
- Back up regularly, and make sure you have offline backups. That way, if you are infected by ransomware, your backups won’t be encrypted.
- Organizations should also be monitoring their logs closely for suspicious activity across firewalls and antivirus software.
What should you do if you’re infected?
NotPetya infects computers and then waits about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted, and then try to rescue the files from the machine.
If the system reboots with a ransom note, don’t pay the ransom. We always give this advice in the event of a ransomware infection, and in this case the criminal’s ‘customer service’ email address has been shut down, so there’s no way to get the decryption key anyway.
Instead, you should disconnect your computer from the Internet, reformat the hard drive, and reinstall your files from a backup.
Learn from information security best practice from ISO 27001
An ISO 27001-compliant information security management system (ISMS) can help protect your business from a ransomware attack and prevent the disastrous effects of such attacks.
Although there is no such thing as 100% secure, ISO 27001 can significantly reduce the risk of a ransomware attack occurring. And if a ransomware attack does occur, ISO 27001 can reduce the impact to a level which is negligible.
ISO 27001 provides a holistic approach to managing information security across the organization through effective technology, auditing and testing practices, organizational processes, and staff awareness programs.
Moreover, ISO 27001 provides a risk management approach to information security, thereby ensuring that the organization is constantly evolving to adapt to the latest threats and cybersecurity risks.
Certification to ISO 27001 is growing 91% year-on-year in the USA. Get an ISO 27001 qualification with expert-led training from the team that led the world’s first ISO 27001 certification.