Another widespread ransomware attack dubbed as NotPetya and not Petya has caused disruption across US and Russia and is spreading elswhere.The ransomware shares some code with Petya and works on the same pattern as WannaCry did.It stems from NSA’s leaked documents,with refined mechanism for spreading and is believed to be worse than WannaCry.
The attack started in Ukrain and Russia on Tuesday,and since then many organizations have been targeted worldwide.Disruptions were reported from British advertiser WPP, Danish shipping giant Maersk, Russia’s Rosneft oil firm, food company Mondelez,Milka Chocolate,Orio cookies and legal firm DLA Piper in United States,six companies in Switzerland and Cadbury chocolate plant in Australia.In Asia India’s largest port in Mumbai was also attacked.
How Does it Work?
The ransomware takes over computers running Microsoft Windows,and is based on EternalBlue vulnerability like WannaCry,but unlike WannaCry it encrypts entire hard disk and overwrites files.The ransomware then demands $300 typically in Bitcoins to decrypt the files, preventing the victims from booting up.
The whole picture is not clear yet, as the new ransomware is way too complicated and has multiple mechanisms of spreading. Most of the ransomwares create custom payment address for each victim but for the new ransomware same Bitcoin address is given for all victims. In addition,instead of using any anonymity network (like Tor) attackers have provided an email address to communicate with them. This shows ransomware was definitely not designed for making money.The aim might be to create chaos and spread fast.
NotPetya is a Malware
$16,300 in Bitcoins have been paid to the BTC wallet in hope to get locked files back by various victims, but unfortunately, they would not.
It’s because the email address, which was being set-up by the attackers to communicate with victims and send decryption keys, was suspended by the German provider shortly after the outbreak. This act by German Provider might seem strange but its a step in right direction and it is done to curb the Ransomware spread in these days.
Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. While displaying the ransom note on boot up , it does not keep backup of original MBR which means even if you pay , you can not recover your system. This design was intentional or by mistake is unknown.
Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.
- Don’t open emails and attachments from unknown sources.
- Create read only file C:\Windows\perfc.dat, it would prevent scrambling of files.
- Backup your files regularly and make sure that your system is updated.
- Disable SMBv1, block outside access to ports 137, 138, 139, 445.
Topnotch Free Ransomware Protection Guide
Organizations must treat mitigating the risks associated with ransomware—data loss, interruption of business operations, and more—as a strategic imperative by implementing a layered security approach that maps to and thus thwarts ransomware attack campaigns. This paper offers a prescriptive approach to do so, based on four countermeasures requiring a set of integrated controls for centralized visibility, shared intelligence, and active prevention.