A modified version of Petya Ransomware is spreading fast !
While WannaCry continue to make victims (Honda in Japan some days ago), NotPetya is spreading fast infecting computers from corporates, power supplies and bank. It started with Ukraine, then Russia, Spain, France, UK, India …
What is NotPetya :
This new variant of Petya Ransomware, know as Petrwrap or NotPetya use same SMBv1 vulnerability than WannaCry to propagate fast (Thanks to NSA Hack tools that was leaked …).
But it exploit also WMIC (Windows Management Instrumentation Command-line) and PSEXEC (a replacement of Telnet on Windows Systems), 2 remote command tools from Microsoft to propagate. So it can infect PC previously patched against SMBv1 exploit (used for WannaCry).
Petya is more vicious because it didn’t just encrypt your files one per one, but encrypt the file system : This mean that your PC will stop to boot your OS but ask you $300 for the ransom key. Once you see the ransom message you will not even be able to mount and read your disk from a safe PC.
NotPetya in its variation is even worst because it really replace the MBT (Master Boot Table), so you can not recover even if you pay the ransom. Moreover the email address used for the ransom was disabled. So don’t loose time and money paying the ransom : it will not work !
So NotPetya is not an ransomware, it destroy your datas. It’s not made to make money.
Once your computer is infected, it start infecting other Windows PC in the same local network. Then one hour later it shutdown your PC, then write on MBR (Master boot record) and MBT (Master boot table), then encrypt your file system. And your screen will look like that :
So if your PC shutdown and you think you was targeted by this malware : keep it OFF. Then remove the hard disk and try to read and backup your important datas from a safe running PC (use an SATA->USB adapter to hotplug the disk).
- Update your PC : make sure you have last Windows update and Anti-virus update.
- Do a backup of all your important datas, then keep the backup in safe place and disconnected from your PC.
- Be really prudent about fishing (mail, web), and download software only from official web site.
- If you using accounting software that force you to keep using old version of MS-Windows, MS-Office, or weak technology (old 32bits web browser, Java plugin, ActiveX, Flash) : complain to the editor ! They must do their job updating their software not to force you using unsafe environment.
- If you have infected PC on your network, then unplug the network cable.
- If you have infected PC on your network and your PC reboot : Keep it OFF. then try to read your file from a safe PC.
- Warning : when you are in co-working place or free WiFi access the risk is higher. Better to activate your firewall in that case.
- If you have an old spare computer, don’t keep it with old version of MS-Windows, use it as backup system with a fresh Linux Install or buy an Raspberry Pi.
Where it come from :
Security experts say accounting program provider MeDoc was breached and NotPetya was spread via their software updates. Of course they deny it …
Lot of accounting softwares force users to keep old version of MS-Windows to work. So it really help to propagate.
It started in Ukraine, spread fast in Ukraine Government institutions, banks, firms and then to subsidiaries and partners sharing the same network.
As the NotPetya kill your PC pretty fast (one hour), and propagate via local network only, it explain that 90% of the victims are in Ukraine or company sharing local network here.
Be prepared to Worst later :
With longer incubation time for example it would had give a chance to laptops to infect PC on public WiFi access, home place or other company network.
With additional way of propagation (spreading stuff by email or skype to all victims contacts) it would be even worst …
They are more leaks about NSA/CIA Hacking Tools coming.
They was a big leak of Windows 10 code source last week, this should inspire some new attacks.
You will see variant of existing malware or new ones … and not only on MS-Windows.
So do updates of all your systems but also change default password (even your iOT devices).
So thing could have been worst, and you must be prepared to future stronger attacks !
Know Victims :
Infected Power Companies : Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, “Kyivenergo” and “Ukrenergo”. The computers that mesures radioactivity at Tchernobyl are affected too.
Infected Banks : National Bank of Ukraine (NBU), Oschadbank
Infected Businesses : Maersk (Danish shipping company, but infected in UK and Ireland too), Antonov (aircraft manufacturer), Mondelez (Spanish food giant), DLA Piper (Legal firm), St Gobain (French construction materials), Mars, Nivea, Auchan, Merck (US Pharmaceutic group), US Hospital.
Infected Transport : Kiev’s metro, Kiev’s Boryspil Airport and postal services.
Infected Telecom : 3 Ukrainian telecommunication operators (Kyivstar, LifeCell, Ukrtelecom)
Look like actually 9 victims paid the ransom … for nothing, because it didn’t recover your datas.
– don’t pay, you will not get your files back because hacker email address have been suspended.
– if you are infected and your PC reboot, don’t power it up, then try to get your data from another PC or live CD. The encryption seem to be done after the restart.
– Amit Serper while searching for a kill switch found an vaccine for #NotPetya : Just create a file “C:\Windows\perfc” and made that file read only.