As reported yesterday, another major ransomware attack is spreading globally after hitting Ukraine and Russia, the large-scale attack has since affected thousands of business systems in at least 64 countries that are still running unpatched versions of the Windows operating system.
The 'NotPetya' malware is considered to be a derivative of Petya which spread last year, but it's also being compared to WannaCry because it also relies on a Windows exploit called EternalBlue. Here are some quick facts on this latest malware:
- In the first 24 hours NotPetya has infected around 300,000 computers across the world.
- The EternalBlue exploit uses a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. Microsoft issued a patch for this vulnerability in March 2017 for all affected Windows versions (Vista, 7, 8.1, 10, Server 2008, 2012, and Server 2016), but PCs must be configured to receive patches automatically or get manual updates installed.
- The EternalBlue exploit is believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by hacker group "Shadow Brokers" on April 14, 2017.
- Paying the NotPetya ransom is not recommended, in fact, it will do no good since the email service that was being used to verify Bitcoin payments has been blocked. In other words, hackers (if they ever intended to provide a remedy to encryption) can no longer receive messages and verify a victim has paid the ransom.
- At last count, there had been 29 payments totaling $7,497 sent to the Bitcoin address.
- According to Kaspersky Lab, unless an implementation mistake was made, there is little hope of decrypting files for victims already infected. The ransomware uses a solid encryption scheme.
- Ukraine has been hit the hardest so far, affecting airports, machines managing infrastructure, and ATMs. Major corporations affected according to a NYTimes report, include Russian energy company Rosneft, Danish shipping company AP Moller-Maersk, British advertising firm WPP, French multinational Saint-Gobain, American pharmaceutical giant Merck, Russian steel and mining company Evraz, among others.
- Security experts have been trying to find a killswitch to stop NotPetya, as they did with WannaCry earlier this year. So far, a partial remedy has been found by researcher Amit Serper but only to prevent infection: simply create a file called "perfc" in the C:\Windows folder and make it read only. This will trick the malware into thinking it's already on the computer.