NotPetya Ransomware Attack Spread Rapidly Across World

A new worldwide ransomware attack has hit hard just a little over a month after the WannaCry attack. The attack appeared to start in Ukraine and the spread across Europe but has made its way to the US in the past 24 hours, taking down systems at US pharma company Merck & Co.

Worldwide advertising agency WPP, Dutch shipping company AP Moller-Maersk, Russia’s main oil producer Rosneft, a Cadbury Chocolate factory, and the Ukrainian National Bank are just a handful of the notable companies affected by the new attack.

Victims of the ransomware are being asked to pay $300 in Bitcoin cryptocurrency to unlock their systems.

The Petya Ransomware Variant

Differing from other ransomware families, that encrypt specific files, the Petya variant of ransomware does not attack the individual files. Instead Petya encrypts the master file table (MFT) and renders the computer’s master boot record (MBR) inoperable. In plain English, what Petya does is seize the record about where on the physical hard drive the operating system is located and then denies access to it. The MBR is then replaced with a ransom note that displays a message stating:

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service”.

NotPetya Is Fooling Anti-Virus and Infecting Patched Systems

The new variant of Petya, called Petwrap, is particularly nasty as it has been able to fool many anti-virus tools and has been able to successfully infect systems that have been patched against the EternalBlue vulnerability that allowed WannaCry to spread rapidly.

If for some reason, a business has not applied the critical Windows SMB patches for EternalBlue (MS17-010), the business needs to disable the SMBv1 protocol now rather than later to prevent infection.

System admins are also encouraged to disable WMIC (Windows Management Instrumentation Command-Line) which is being used to spread the infection across patched systems.

A vaccine of sorts has been discovered by security researchers and can prevent companies from becoming infected by creating a file in their systems that the ransomware looks for before encryption takes place. Detailed instructions can be found at BleepingComputer.

Victims May Have Nowhere To Turn

After demanding the ransom, hackers told victims to send an email to a Posteo email account with the infection ID and the victim’s Bitcoin wallet hash. Posteo quickly shut downthe email account stating that “We do not tolerate any misuse of our platform: The intermittent blocking of abused mailboxes is a normal procedure of providers in such cases.” which has left victims stuck with no way to contact the hackers behind the attack should they decide to pay.

Additionally, as researchers continue to look into NotPetya, it has been discovered that it was not a true ransomware but instead what is known as a wiper malware. Ransomware’s intent is to make money where wiper malware seeks to create havoc by destroying systems. Victims of NotPetya not only had no where to turn for making ransom payments but they also would not be able to recover their files even if they had been provided a decryption key.