Petya Ransomware Advisory
Last updated: 05/07/17 09:00
Throughout the week (26-30 June) Integrity360 security experts followed development on the latest malware attack to hit the industry. Our clients were advised to remain vigilant about this threat and below is the information as it is understood currently.
For further information on the threat we recommend attendance in our upcoming webinar on the topic.
The current impact
The malware has affected companies across a range of industry sectors across the world, with Ukraine being the worst affected (over 60% of instances occurred in Ukraine), while Russia and some Western European countries also affected. Kaspersky Labs reports that while the finance sector was hit hardest, more than 50 percent of the remaining targets fell into the categories of manufacturing, oil and gas.Some preliminary reports from researchers indicate that MeDoc, a Ukranian company that makes accounting software, may have been compromised and used as the source of the infection. An update was pushed to their accounting software by the attackers, resulting in the NotPetya ransomware being installed. MeDoc has denied that this is the case, though there is mounting evidence to support the theory.
NotPetya, also being called “Nyetya” is being compared to the WannaCry attack because it employs the same EternalBlue exploit, but this is only a component of the attack and uses other tools for moving quickly across networks.
Though NotPetya appears to be ransomware, it is in fact classified as a different kind of program – a wiper, as it makes it impossible to restore files due to the damage it inflicts on the file system. After infection, NotPetya proceeds to overwrite the Master Boot Record (MBR) of the system prior to creating a scheduled task that will reboot the system after an hour and a half. When the system reboots automatically, the main damage is caused. A black screen with red text is seen and $300 in bitcoins is demanded to recover files.
As there is no unique code to identify a payment and map to a specific infection it appears that it is not possible for a decryption code to be received. Additionally, the email address to communicate with the authors of the malware has been shut down so communication is no longer possible.
- Ensure that your security devices have been updated, including antivirus, antibot & IPS to guarantee that you have the most recent signatures in place. The following AV vendors have confirmed updated signatures are in place for this malware: Cylance | Check Point | Fortinet | Sophos | Symantec | F Secure | Malware Bytes | Microsoft | Kaspersky
- Advise users to be extra vigilant when receiving emails and surfing the internet. Any emails with suspicious links or attachments should not be opened and links should not be clicked.
- Ensure that your systems are backed up regularly, and offline backups are kept.
- Limit privileged access on your network.
Finally, we would like to invite our clients to join us for our webinar on the topic where our security experts will outline the threat in greater detail while also offering advice in an interactive forum.
Please email firstname.lastname@example.org if you would like further advice on protecting against this threat.