July 20, 2017
Webinar Series: Purple Teaming - Validating Detection & Response Capabilities
The NotPetya ransomware, a Petya variant, attack of July 2017 is similar to the recent WannaCry attack that struck 230,000 computers globally. NotPetya utilizes the same exploit as WannaCry, Eternal Blue, to infect Windows-based computers across the network. All of the files on the victim's computer are encrypted, the master boot record is overwritten, and a message appears that demands $300 in Bitcoin. Unlike other types of ransomware, paying this fee does not give access back to the files, as the malware is designed to be unable to undo its effects on the computer.
NotPetya is ransomware in name only due to it's predecessor, Petya. In reality, this is a malicious file-destroying piece of malware that was designed to wipe access to the machine and it's files. NotPetya, WannaCry, and any malware utilizing the Eternal Blue exploit can be prevented by applying the security update provided by Microsoft for Windows-based operating systems.
While Petya has been around in several forms since 2016, the modified NotPetya variant's campaign started having a significant impact starting on June 27, 2017. The attackers initial infection point involved compromising the updater on a tax application commonly used in Ukraine. Approximately 80 companies had systems infected with this ransomware, with 80 percent of those impacted operating in Ukraine. However, NotPetya has presence in Europe and the United States as well, albeit limited.
The National Bank of Ukraine is one of the most significant targets in this attack, along with the radiation monitoring system at Chernobyl. Outside of Ukraine, Heritage Valley Health System, DHL, and Merck & Co. were a few of the global organizations that fell prey to this malware.
The patches designed to close the Eternal Blue exploit are available for all supported versions of Windows, including now end-of-life Windows XP. The most important thing you can do is to keep your business network up-to-date on the latest operating system security patches. Ransomware utilizing Eternal Blue can easily spread throughout an unpatched network, and if you don't have recent backups, you will lose data on the infected machines.
Schedule your operating system updates at the enterprise level with systems like WSUS, and don't neglect patching third-party software. While NotPetya utilized the Eternal Blue exploit within Windows environments, they also relied on a machines being unpatched, unprotected, and therefore vulnerable to be successful.
Your anti-virus applications need their signatures updated on a regular basis, your organization is at risk for malware that's already identified and protected against otherwise. Many of the companies facing NotPetya or WannaCry malware could have avoided being infected entirely if they had kept their systems properly maintained.
Advanced solutions such as Endpoint Managed Detection & Response from NetWorks Group can offer a robust protection from these type of attacks for your company. Offering the ability to gain immediate visibility into the threats against your endpoints, non-malware and malware. NetWorks Group ensures endpoint protection policies are defined so you don't have to spend your resources unless there's a critical threat. The real-time information allows you to respond quickly to fast-paced situations that demand an instant response.
If you're already affected by NotPetya, you may be able to stop the encryption process by immediately powering down the impacted systems. Remove any connections it has to your network so it doesn't spread the malware to your workstations, servers and other endpoints. You should then reimage the machine or reinstall Windows across any endpoints that were infected by NotPetya.
Don't pay the requested ransom, as this version of NotPetya is incapable of decrypting your files. You need to turn to your backups, whether you keep essential data stored locally or in the cloud. Before you go through the restoration process, make sure that the system is completely rebuilt. By depending solely on AV for cleanup, you chance reinfecting the network repeatedly.
Don't fall victim to exploits that have been patched for months. Validate that your patching policies are up-to-date and being followed appropriately to ensure your organization has a baseline of endpoint security.
Security news, tips, webinars, and more straight to your inbox.
