Arm your PC against the global NotPetya ransomware attack with these easy tips

NotPetya ransomware
Trend Micro
On June 26, 2017, a new type of ransomware called NotPetya began attacking computing systems across the globe. It originally targeted major systems in the Ukraine including banks, postal services, airports, power companies, and more. But it quickly spread outside its targeted zone, expanding across 64 countries including Brazil, Germany, Russia, and even the United States. We take a look at what this NotPetya ransomware is, what systems are affected, and how you can stand guard against this specific attack.

What is the NotPetya ransomware?

NotPetya (or Petwrap) is based on an older version of the Petya ransomware, which was originally designed to hold files and devices hostage in turn for Bitcoin payment. However, despite NotPetya’s attempt to collect money in its fast-moving global attack, it doesn’t appear to be strictly out for money. Instead, NotPetya is encrypting the filesystems of machines to damage companies. The ransomware aspect is apparently just a cover.

What makes NotPetya dangerous is that underneath the ransomware-based front is an exploit called EternalBlue, allegedly designed by the United States National Security Administration (aka the NSA). It targets a specific, vulnerable network protocol called Server Message Block (version 1) used for sharing printers, files, and serial ports between networked Windows-based PCs. Thus, the vulnerability allows remote attackers to send and execute malicious code on a target computer. The Shadow Brokers hacker group leaked EternalBlue in April of 2017.

The NotPetya ransomware also includes a “worm” component. Typically, victims fall prey to ransomware by downloading and executing malware disguised as a legitimate file attached in an email. In turn, the malware encrypts specific files and posts a popup window on the screen, demanding payment in Bitcoins to unlock those files.

However, the Petya ransomware that surfaced in early 2016 took that attack a step further by encrypting the PC’s entire hard drive or solid state drive by infecting the master boot record, thus overwriting the program that begins the Windows boot sequence. This resulted in an encryption of the table used to keep track of all local files (NTFS), preventing Windows from locating anything stored locally.

Despite its ability to encrypt an entire disk, Petya was only capable of infecting a single target PC. However, as seen with the recent WannaCry outbreak, ransomware now has the capability to move from PC to PC on a local network without any user intervention. The new NotPetya ransomware is capable of the same lateral network infestation, unlike the original Petya version.

According to Microsoft, one of NotPetya’s attack vectors is its ability to steal credentials or re-use an active session.

“Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines,” the company reports. “Once the ransomware has valid credentials, it scans the local network to establish valid connections.”

The NotPetya ransomware can also use file-shares to multiply itself across the local network, and infest machines that are not patched against the EternalBlue vulnerability. Microsoft even mentions EternalRomance, another exploit used against the Server Message Block protocol supposedly conjured up by the NSA.

“This is a great example of two malware components coming together to generate more pernicious and resilient malware,” said Ivanti Chief Information Security Officer Phil Richards.

On top of NotPetya’s fast, widespread attack, there exists another problem: payment. The ransomware provides a popup window demanding victims to pay $300 in Bitcoins using a specific Bitcoin address, Bitcoin wallet ID, and personal installation number. Victims send this information to a provided email address that responds with an unlock key. That email address was quickly shut down once German parent email provider Posteo discovered its evil intent.

“We became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away,” the company said. “We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.”

That means any attempt to pay would never get through, even if payment were the goal of the malware.

Finally, Microsoft indicates that the attack originated with Ukrainian company M.E.Doc, the developer behind the MEDoc tax accounting software. Microsoft doesn’t appear to be pointing fingers, but instead stated that it has proof that “a few active infections of the ransomware initially started from the legitimate MEDoc updater process.” This type of infection, notes Microsoft, is a growing trend.

What systems are at risk?

For now, the NotPetya ransomware seems to be focused on attacking Windows-based PCs in organizations. For example, the entire radiation monitoring system located in the Chernobyl nuclear power plant was knocked offline in the attack. Here in the United States, the attack hit the entire Heritage Valley Health System, affecting all facilities that rely on the network, including the Beaver and Sewickley hospitals in Pennsylvania. The Kiev Boryspil Airport in the Ukraine suffered flight schedule delays, and its website was knocked offline due to the attack.

Unfortunately, there’s no information pointing to the exact versions of Windows the NotPetya ransomware is targeting. Microsoft’s security report doesn’t list specific Windows releases, although to be safe, customers should assume that all commercial and mainstream releases of Windows spanning Windows XP to Windows 10 fall within the attack window. After all, even WannaCry targeted machines with Windows XP installed.

Product Review

Spanning 49 inches, this gaming monitor is the next best thing to VR

Samsung has taken "ultrawide" to its new limit with its 49-inch gaming monitor, the CHG90. With a 144Hz refresh rate and ungodly amounts of screen real estate, it just might be the most impressive gaming monitor ever made.
Computing

Antivirus software has evolved a lot recently, and we need it more than ever

Everyone says you need it, but really is antivirus software, and how does it work? It depends on who you ask as different digital security companies employ different techniques to combat the latest malware threats.
Movies & TV

The best shows on Netflix, from 'The Haunting of Hill House’ to ‘The Good Place’

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Computing

Apple CEO demands Bloomberg retract its Chinese surveillance story

Apple CEO Tim Cook is calling on Bloomberg to retract a story alleging that Apple had purchased compromised servers that allowed the Chinese government to spy on Apple. Apple's investigation found no truth to the story.
Computing

Is the Pixelbook 2 still happening? Here's everything we know so far

What will the Pixelbook 2 be like? Has the Pixel Slate taken its place? Google hasn't announced it, but thanks to rumors and leaks, we think we have a pretty good idea of what the potential new flagship Chromebook will be like.
Social Media

How to turn off Safe Mode in Tumblr

If you've joined Tumblr after hearing tales about the social network's more adult communities, you may be disappointed by how family-friendly it seems. Here's how to turn off "Safe Search" in Tumblr and delve into the site's seedy…
Emerging Tech

Awesome Tech You Can’t Buy Yet: A.I.-powered cat toys, wallets, food containers

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!
Computing

Choose your weapon wisely -- these are the best keyboards for gaming on your PC

Your PC isn't complete without one of the best gaming keyboards on the planet. We have a list spanning full-sized models to compact versions from Razer, Cooler Master, Corsair, Logitech G, and more.
Computing

Capture screenshots with print screen and a few alternative methods

Capturing a screenshot of your desktop is easier than you might think, but it's the kind of thing you'll probably need to know. Here's how to perform the important function in just a few, easy steps.
Virtual Reality

Oculus Rift, HTC Vive head-to-head: Prices drop, but our favorite stays the same

The Oculus Rift and HTC Vive are the two big names in the virtual-reality arena, but most people can only afford one. Our comparison tells you which is best when you pit the Oculus Rift vs. HTC Vive.
Computing

What's the best laptop? We've reviewed a lot of them, and this is our answer

The best laptop should be one that checks all the boxes: Great battery life, beautiful design, and top-notch performance. The laptops we've chosen for our best laptops you can buy do all that — and throw in some extra features while…
Emerging Tech

Looking for a good read? Here are the best, most eye-opening books about tech

Sometimes it's sensible to put down the gadgets and pick up a good old-fashioned book -- to read about the latest gadgets, of course. Here are the tech books you need to check out.
Gaming

The 'Fallout 76' beta starts tomorrow! Here's when it starts and how to join

Want to get into Bethesda's Fallout 76 beta? We don't know when the program will launch, but we provide instructions on how to get ready. The game officially launches on November 14.
Computing

Samsung’s HMD Odyssey Plus gives you a clearer view into the virtual world

Samsung's refreshed HMD Odyssey+ promises to make Windows Mixed Reality experiences better by eliminating pixelated views caused by screen doors. The $500 headset also focuses on comfort this year with ergonomic improvements.
1 of 2