8 things to know about NotPetya ransomware

Julio Franco

Posts: 9,092   +2,043
Staff member

As reported yesterday, another major ransomware attack is spreading globally after hitting Ukraine and Russia, the large-scale attack has since affected thousands of business systems in at least 64 countries that are still running unpatched versions of the Windows operating system.

The 'NotPetya' malware is considered to be a derivative of Petya which spread last year, but it's also being compared to WannaCry because it also relies on a Windows exploit called EternalBlue. Here are some quick facts on this latest malware:

  • In the first 24 hours NotPetya has infected around 300,000 computers across the world.
  • The EternalBlue exploit uses a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. Microsoft issued a patch for this vulnerability in March 2017 for all affected Windows versions (Vista, 7, 8.1, 10, Server 2008, 2012, and Server 2016), but PCs must be configured to receive patches automatically or get manual updates installed.
  • The EternalBlue exploit is believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by hacker group "Shadow Brokers" on April 14, 2017.
  • Paying the NotPetya ransom is not recommended, in fact, it will do no good since the email service that was being used to verify Bitcoin payments has been blocked. In other words, hackers (if they ever intended to provide a remedy to encryption) can no longer receive messages and verify a victim has paid the ransom.
  • At last count, there had been 29 payments totaling $7,497 sent to the Bitcoin address.
  • According to Kaspersky Lab, unless an implementation mistake was made, there is little hope of decrypting files for victims already infected. The ransomware uses a solid encryption scheme.
  • Ukraine has been hit the hardest so far, affecting airports, machines managing infrastructure, and ATMs. Major corporations affected according to a NYTimes report, include Russian energy company Rosneft, Danish shipping company AP Moller-Maersk, British advertising firm WPP, French multinational Saint-Gobain, American pharmaceutical giant Merck, Russian steel and mining company Evraz, among others.
  • Security experts have been trying to find a killswitch to stop NotPetya, as they did with WannaCry earlier this year. So far, a partial remedy has been found by researcher Amit Serper but only to prevent infection: simply create a file called "perfc" in the C:\Windows folder and make it read only. This will trick the malware into thinking it's already on the computer.

Permalink to story.

 
Welcome to the cyberpunk dystopia you role played in video games back in the 90s.
 
"The EternalBlue exploit is believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by hacker group "Shadow Brokers" on April 14, 2017."

andddddd this is why we cant have nice things
 
So 300,000 in 24 hours thats 0.015% (give or take) of all computers used around the globe. Hardly anything to shout home about.
 
Author said:
simply create a file called "perfc" in the C:\Windows folder and make it read only. This will trick the malware into thinking it's already on the computer..

lol really? That simple? I wonder if it simply has to say "perfc" or if it has to have a certain file extension like .exe or .bat or something
 
Oh look, a NSA exploit used by hackers!?! And they want back doors into everything... How long until hackers find those back doors. Any backdoor is a security vulnerability.
 
Back