NotPetya: What You Need to Know About the Latest Ransomware Attack
This malware is even more malicious than WannaCrypt. Find out it if you are vulnerable and what you should do.
In May 2017, the world got a wake-up call from the widespread WannaCry or WannaCrypt ransomware attack that infected computers and networks in institutions, businesses, and homes across the globe. Thankfully, the rampant damage of the WannaCrypt malware was cut short by its amateurish development, as it was semi-inadvertently mitigated by a built-in kill switch discovered by MalwareTech.
The expert advice at the time was clear:
- Patch your systems with MS17-010 (and for Pete’s sake, upgrade beyond Windows XP)
- Use your antivirus software and keep your virus definitions updated
- Be wary of suspicious email attachments
- Watch out—they’ll be back
That last bit of advice came true today. Early Tuesday morning, reports of ransomware attacks in Ukraine began trickling in. Then it spread to the rest of Europe and Russia. It even made its way to a hospital in Pittsburgh, PA in the U.S.
We are still learning about this new ransomware attack. In fact, the community hasn’t really even settled on a name for it. People have recognized one aspect of it as a known ransomware called Petya. But this malware seems to pack a one-two punch, if not more. So, some are calling it NotPetya. For now, that’s what I’ll call it, too.
All that aside, here are the highlights of what is known (Excerpted from Forbes and MalwareTech):
- NotPetya uses a similar exploit as WannaCrypt: the EternalBlue vulnerability that infects computers via SMBv1. But it can also infect computers through WMIC and PSExec. So, if you patched during the WannaCrypt attack, you are only half-protected right now.
- NotPetya will first attempt to encrypt your MFT on your hard drive. This will prevent your computer from booting altogether. Â If it fails at that, it’ll just go ahead and boot and then encrypt all your files, and demand payment in BitCoin to unlock it. (The pre-boot encryption is Petya, and the post-boot one is Misha.)
- The message you’ll see is this:Â “If you see this text, then your files are no longer accessible because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
- NotPetya will also scan your computer for credentials–usernames and passwords–and send them to the hacker’s server.
- Important. Posteo, the email provider for the email address you’re supposed to contact in order to get your decryption key, has already disabled the account. This means there is no way to get your data back by paying the ransom. Don’t pay it.
From the looks of it, NotPetya is a more professional version of WannaCrypt, without the bugs and kill switch. Security experts are still investigating and responding to attacks.
Action you should take now
Ransomware is dangerous because it encrypts all the files on your hard drive and mapped drives. Want your data back? Pay the ransom to the hacker. A better strategy than hope and wait is the backup today strategy. Here at groovyPost, we suggest a set it and forget cloud backup. Our favorite service is Crashplan however Backblaze is OK also. You see, Crashplan protects you against Ransomware because it will backup all your files each time they change. So if you get infected and all your files are encrypted, no worries, kinda. You will need to wipe your hard drive, re-install your OS, re-install Crashplan then restore your files from the previous day/week etc… prior to the files getting infected.
I know, not ideal but, better than losing all your files.
Over the coming days, the NotPetya story will no doubt continue to develop. The best advice at this point is to ensure you have a solid backup of all your files and, always practice safe online computing.
Do you have any information about NotPetya, WannaCry v2, or whatever they are calling it? Tell us about it in the comments.
11 Comments
Leave a Reply
Leave a Reply
Jack
June 28, 2017 at 4:57 am
Hey everyone,
Looks like someone may have found a “vaccine” for Petya/NotPetya/Petna
from: bleepingcomputer:
“create a file called perfc in the C:\Windows folder and make it read only”
Susi Brown
June 28, 2017 at 6:52 am
Are OneDrive, DropBox & other such Clouds protected??
Thank you SO much for all you do!!
Susi
Va Beach VA
Steve Krause
June 28, 2017 at 10:21 am
Hi Susi.
Dropbox and OneDrive are great for Syncing your data between devices but, they are not a backup solution. The problem with malware/ransomware and Sync services is that the file will become encrypted/infected and Dropbox and OneDrive will then sync those files up to the Cloud and then back down to your devices. Sure, both Dropbox and OneDrive keep previous versions of your files however, you have to restore them one-at-a-time. Very time consuming and, not a core competency of those services.
That’s why I like Crashplan… Yes I know, many will say “Backup locally to a USB drive”. My issue with locals backs is they don’t protect you against fire, theft and HW failures. Crashplan not only does real-time backups, it also encrypts the data before uploading it to the Crashplan data center. That’s called “encryption at rest”. So, they can’t get access to your data.
Hopefully, that answers your question Susi (plus a few other questions…) (Smile)
Susi Brown
June 28, 2017 at 10:37 am
Thank you!! That makes perfect sense!! Crashplan it is!!
Susi
Milton Canabrava
June 28, 2017 at 8:23 am
Considering the possibility of hardware failures, internet blackouts and privacy problems, I strongly recommend backups in offline devices. It takes a lot of time and money, but you won’t have such problems.
Mike Miller
June 28, 2017 at 12:36 pm
Offsite backups are great for those that have something that approaches a decent Internet connection, (i.e., the FCC’s recommendation of 25Mbps or better) but for those of us who live in rural areas, this is simply not viable. Case in point, my DSL connection is about 9Mbps down and .9Mbps up. Backing up my 16GB Musc collection took me over threes days to upload to OneDrive. With a C: drive currently sitting at 149GB and about another 500GB of data files and apps that take up too much room on C:, uploading/backing this configuration up constantly would make my Internet connection basically useless.
Vicki
July 2, 2017 at 11:31 am
Is there a HIPAA compliant service for small medical offices?
Was also windering about point to point encryption services for existing email addresses.
Steve Krause
July 2, 2017 at 8:42 pm
Hi Vicki,
Crashplan should be fine. It does encryption at rest and in transit so you will be good. That said, check with your HIPAA privacy officer. For email, what is it you’re trying to do? O365 may be good enough for your small business as they encrypt in transit and at rest as well.
Martin James
July 3, 2017 at 12:41 am
Hi guys
Can this new ransomware attack windows 10, if it is fully updated?
Or is it just hitting the older OSs as the last wave did?
Martin
Jack Busch
July 4, 2017 at 4:32 am
As with WannaCry, I believe an up to date Windows 10 copy should protect you from the initial infection via SMB.
But it seems like there is still a risk of infection if another PC on your network has been infected. For example, if there is an old Windows XP or Windows 7 machine with administrator rights on your network, it could spread that way. Microsoft also recently pushed out updates to Windows Defender Antivirus and Microsoft Security Essentials, so make sure you have these products enabled.
Martin James
July 4, 2017 at 9:55 am
Thanks Jack
Thought win10 was safe. We only have Win 10 machines. We have Windows Defender.
Martin