NotPetya Ransomware: Everything you need to know
It seems we can't go a couple of weeks without hearing about a new cyberattack. In mid-May it was the WanaCryptOR 2.0 ransomware, aptly nicknamed “WannaCry.” Now, it's a different type of malware infecting large corporations and personal computers alike.
Both pieces of malware affect windows computers, infect them through phishing emails, and seemingly hold your data for ransom, but the similarities stop there.
What is Petya?
Petya is a type of malware known as ransomware that was first documented in 2016. Ransomware, as the name suggests, encrypts the data on an infected computer and demands a payment to be made in order to recieve the key to decrypt the data. People typically pay this ransom which can range from a few hundred dollars to thousands, or hundreds of thousands for corporations.
Petya differs from other ransomware in that it not only encrypts files, but it also overwrites and encrypts the master boot record.
Cybersecurity experts, however, have been quick to point out that the latest attack is similar to Petya but appears to be a new unreported ransomware. The biggest difference between the two is how little effort was actually put into receiving the ransom money. This new bug was designed for destruction, not extortion.
Trusted computer security veteran ‘The Grugq‘ said, “The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This [latest malware] is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”
Because of these differences many have begun to call it NotPetya.
Who was affected
During the last week of June this ransomware began its destructive mayhem in Ukraine, targeting banks, companies, and government agencies. To date, there is a laundry list of organizations that have admitted to being hit with the nasty bug from Ukraine's Ministry of Culture, Ministry of Finance, national and regional police, and the Ministry of Energy, to banks, transport companies, media companies, cell phone operators, gas stations, and even pharmacies. Because the epicenter of the attack is in Ukraine, experts believe the attack was initiated by Russia as a retaliatory response to sanctions imposed by Ukraine on Russian websites and online services.
However, the infection quickly spread worldwide affecting huge international corporations including shipping giant Maersk, advertising conglomerate WPP, and law firm DLA Piper. So far the tally of infected machines is in the tens of thousands spread across 65 countries.
How did it infect
Phishing emails was one way this worm wiggled into networks. But the designers of this malware also cleverly inserted it into the update mechanism of financial software, MeDoc, which many companies inside Ukraine are mandated to use by the government. MeDoc, however, has publicly denied this calling these reports “clearly erroneous.”
Once successfully infecting the computer, the bug searches for three different Windows vulnerabilities, making it even more sophisticated than the massive WannaCry ransomware that swept across the globe in May.
The first vulnerability it searches for is the EternalBlue exploit which takes advantage of a vulnerability in the Server Message Block (SMBv1 protocol). This exploit comes from none other than the NSA after a group of cybercriminals known as Shadow Brokers leaked the details. Both WannaCry, Petya, and this new ransomware all take advantage of this weak spot.
It then spreads through the network from computer to computer attempting to infect and erase all data on each one.
When investigating any crime what's the first thing police look for? Motivation; who stands to gain the most from carrying out the crime. In this case, the obvious answer is Russia. In May, Ukranian President Petro Poroshenko announced a new round of tightening internet censorship aimed at Russian owned sites and services. Among them was the ‘Russian Facebook,' Vkontakte as well as popular email services, and Russian media and TV channels.
This move not only upset Russians, but Ukrainians as well. Despite the turmoil between the two countries, Russian websites and services remain immensely popular. Vkontakte has half of its users in Ukraine, some 15 million people. The increased censorship left only those with a VPN able to reach the sanctioned sites.
However, don't be too quick to blame Russia. The aforementioned attack, WannaCry, has been attributed to North Korea. Experts believe that their state-sponsored hackers, Bureau 121 aka Lazarus, is responsible for the virus that has been reported in over 100 countries and infected over 230,000 machines.
So this attack may go down in the history books much like Stuxnet, a cyber attack targeting a single country that got a bit out of hand. Also like Stuxnet, which many believe to be the work of a collaboration between the US and Israel, we may never have definitive proof who did it.
If you're infected with NotPetya…
You're out of luck. The only point of contact given in the ransom directions was an email address that was shut down nearly immediately. Besides, this software was meant to destroy: by the time you saw the ransom message pictured above on your screen your files were already long gone.
In order to inoculate yourself against this virus you should follow the typical guidelines whenever a new bug is reported (and you should really do these things periodically anyways). First, run Windows Update make sure you have the latest version. Secondly, scan your computer to find any malicious programs (extra points for setting up auto scans). Finally, back up your data. This last point is incredibly important but often overlooked. You never know when you might be hit in the first wave of a ransomware attack, leaving you with no other options besides loosing your data or paying the ransom (or losing it completely regardless of what you do). Oh, and one final point; never open any suspicious emails and avoid using links in emails altogether.