In May 2017, the world got a wake-up call from the widespread WannaCry or WannaCrypt ransomware attack that infected computers and networks in institutions, businesses, and homes across the globe. Thankfully, the rampant damage of the WannaCrypt malware was cut short by its amateurish development, as it was semi-inadvertently mitigated by a built-in kill switch discovered by MalwareTech.
The expert advice at the time was clear:
- Patch your systems with MS17-010 (and for Pete’s sake, upgrade beyond Windows XP)
- Use your antivirus software and keep your virus definitions updated
- Be wary of suspicious email attachments
- Watch out—they’ll be back
That last bit of advice came true today. Early Tuesday morning, reports of ransomware attacks in Ukraine began trickling in. Then it spread to the rest of Europe and Russia. It even made its way to a hospital in Pittsburgh, PA in the U.S.
We are still learning about this new ransomware attack. In fact, the community hasn’t really even settled on a name for it. People have recognized one aspect of it as a known ransomware called Petya. But this malware seems to pack a one-two punch, if not more. So, some are calling it NotPetya. For now, that’s what I’ll call it, too.
- NotPetya uses a similar exploit as WannaCrypt: the EternalBlue vulnerability that infects computers via SMBv1. But it can also infect computers through WMIC and PSExec. So, if you patched during the WannaCrypt attack, you are only half-protected right now.
- NotPetya will first attempt to encrypt your MFT on your hard drive. This will prevent your computer from booting altogether. If it fails at that, it’ll just go ahead and boot and then encrypt all your files, and demand payment in BitCoin to unlock it. (The pre-boot encryption is Petya, and the post-boot one is Misha.)
- The message you’ll see is this: “If you see this text, then your files are no longer accessible because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
- NotPetya will also scan your computer for credentials–usernames and passwords–and send them to the hacker’s server.
- Important. Posteo, the email provider for the email address you’re supposed to contact in order to get your decryption key, has already disabled the account. This means there is no way to get your data back by paying the ransom. Don’t pay it.
From the looks of it, NotPetya is a more professional version of WannaCrypt, without the bugs and kill switch. Security experts are still investigating and responding to attacks.
Action you should take now
Ransomware is dangerous because it encrypts all the files on your hard drive and mapped drives. Want your data back? Pay the ransom to the hacker. A better strategy than hope and wait is the backup today strategy. Here at groovyPost, we suggest a set it and forget cloud backup. Our favorite service is Crashplan however Backblaze is OK also. You see, Crashplan protects you against Ransomware because it will backup all your files each time they change. So if you get infected and all your files are encrypted, no worries, kinda. You will need to wipe your hard drive, re-install your OS, re-install Crashplan then restore your files from the previous day/week etc… prior to the files getting infected.
I know, not ideal but, better than losing all your files.
Over the coming days, the NotPetya story will no doubt continue to develop. The best advice at this point is to ensure you have a solid backup of all your files and, always practice safe online computing.
Do you have any information about NotPetya, WannaCry v2, or whatever they are calling it? Tell us about it in the comments.