Roughly a month ago WannaCryptor tore through networks encrypting data on computers and demanding a ransom to decrypt it.
Now a new strain of ransomware is wreaking havoc on the world’s PCs and it exploits something that should have system administrators quaking in their boots.
The ransomware has been dubbed NotPetya due to its similarities to Petya but this ransomware appears to have one goal – destruction.
NotPetya – when it works – seeks out administrator access and then pollutes the network using the “god view” that many admins use to deploy patches on a network.
Like WannaCry, NotPetya uses the EternalBlue SMB exploit and EternalRomance SMB exploit to inject malicious code into a target machine. Worse than that, the ransomware can parade a malicious code injection as a software update.
At present its believed that ground zero for the attack is Ukraine or rather a piece of financial software called MeDoc that a number of Ukrainian businesses use.
The software is used by many businesses to pay taxes in the Ukraine and according to one researcher it’s used by many international firms that do business in the state.
It’s believed that a malicious update for MeDoc was pushed out that ran an executable containing NotPetya. Among the infected is Maersk, the global shipping firm.
How it works
Once the software has been installed within an hour the infected PC will reboot and users will be presented with a screen that looks like a Windows is running a CHKDSK. The truth is that this is NotPetya encrypting the files.
— Edward Snowden (@Snowden) June 27, 2017
If that happens, well, you’re screwed. Whoever is behind the attack demanded $300 in ransom but asked that those infected pop them an email for further instructions. Yes, really.
That email account has since been shuttered so if you’re trying to pay up you’re out of luck.
Why this is not Petya
While the code of this ransomware is reminiscent of Petya, The Register reports a number of oddities in the software, particularly which files it encrypts.
File extensions such as .png are left alone which is odd because many folks value their photos above the game they just bought and installed during the Steam sale.
Instead NotPetya appears to be targeting .php files, Excel spreadsheets and even .aspx code. Essentially NotPetya looks as if it’s goal is to cut developers off at the knees.
The ransom demand is also bizarre. Usually cyber criminals make ransom demands easy to pay so that they can profit as much as possible from unwitting individuals. This ransomware makes users jump through a series of complicated hoops to get to the actual payment of the ransom.
What should you do?
As with all ransomware the advice remains the same. Make regular back ups and patch software as soon as those patches come down. Yes, we know that this is how NotPetya spread but that incident with MeDoc is the exception not the rule.
For organisations that use a flat network control method which has a single point of failure (i.e. a system admin with god-view), now might be a good time to rework that model.
[Via – The Register][Image – CC BY SA Buster Benson]