Security Experts:

NotPetya Ransomware Outbreak Hits Organizations Globally

Organizations worldwide are currently under a cyber-attack involving what was originally believed to be the year-old Petya ransomware, but now is being called "NotPetya" and seems to be a never before seen ransomware family.

 The attack already hit Ukraine central bank and Russian oil giant Rosneft. Government computers, airports, and large communication companies in Ukraine appear to have been affected as well. US biopharmaceutical giant Merck also confirmed that its network has been compromised as part of the global attack.

"Kaspersky Lab's analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as originally reported, but a new ransomware that has not been seen before," the company said in a research note Tuesday afternoon. "That's why we have named it NotPetya."

Allan Liska, Intelligence Architect, Recorded Future, told SecurityWeek in an emailed statement Spain and France were also hit, and that the first victims in the United States have started to emerge. Other security researchers observed attacks in the UK and India, and expect the outbreak to spread to other countries too.

The massive spread comes only one month and a half after WannaCry affected hundreds of thousands of computers worldwide, spreading via a NSA-linked SMB exploit called EternalBlue. According to security company Avira, the currently unfolding attack is using the same exploit to spread like wildfire.

AlienVault also mentions the use of EternalBlue exploit, which was confirmed by Kaspersky Lab. According to Kaspersky, the malware leverages a modified EternalBlue exploit for propagation, at least within corporate networks. The ransomware “leverages ARP scans and PsExec to spread. PsExec is dropped as dllhost.dat,” AlienVault says.

According to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, a sample of the the newly observed ransomware variant he stumbled upon appears to have been compiled a week ago.

The ransomware variant used in this attack demands a $300 ransom from its victims, and the first payments appear to have been made to the hardcoded Bitcoin wallet it uses.

According to Recorded Future’s Liska, other payloads might also be used in the attack: “There are also reports that the payload includes a variant of Loki Bot in addition to the ransomware. Loki Bot is a banking trojan, it steals usernames and passwords as well as other personal data from the victim machine and sends it to a command and control host.  Which means this attack not only could make the victim's machine inoperable, it could steal valuable information that an attacker can take advantage of during the confusion.’”

Mitigation

Unlike WannaCry, the NotPetya ransomware ware does not appear to have a "kill switch" built in by its developers, but Cybereason Principal Security Researcher Amit Serper discovered a work around solution that disables the the malware. "To activate the vaccination mechanisms users must locate the C:\Windows\ folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting files," Serper explained in a blog post.

The most imporant thing for companies to do in order to stay safe from NotPetya and other similar threats is patch their systems.

*Updated with additional details and information on not being original Petya malware. Headline updated accordingly. Additional reporting by Mike Lennon

view counter