Yesterday it produced an attack of ransomware similar to the one that already made us tremble with WannaCry a few weeks ago. This time the responsible was NotPetya, a malware that had some similarities with last year’s ransomware but actually acted differently.
Cyberattack has wreaked havoc especially in Ukraine, but has spread to several Western countries such as Spain. An analysis of the same allows us to know how NotPetya is acting, and although in certain cases it is possible to recover the data if we act in time, the advice to avoid the chaos is always the same: to have updated the operating system and, of course, to make copies Regularly.
A ransomware that does not (necessarily) go for our money
As explained in The Register, although this ransomware calls for a $ 300 bailout into a bitcoin portfolio, the motivation behind the attack seems very different. For example, it does not encrypt PNG files, and focuses on files with extensions of programming languages such as Python, Visual Basic, something that explained the grugq security expert.
|Mobile ransomware also exists: how to avoid it and how to get rid of it|
One of the origins of the problem seems to have been the MeDoc accounting software that is used massively in Ukrainian companies and governments.
The malware also uses infection vectors such as the EternalBlue exploit that was also used in WannaCry, in addition to another exploit called EternalRomance that uses TCP port 445 or tools such as psexec (to execute commands on those machines to which it is going Connecting).
All of these vulnerabilities (EternalBlue and EternalRomance, stolen and leaked by the NSA, were patched by Microsoft for months with the MS17-010 patch) are exploited to infect the machines and then propagate through local networks in a way similar to WannaCry. NotPetya curiously does not try to gain administrator privileges, and takes advantage of the “flat” structure of many business networks in which an administrator at one end of the network can achieve full access to the rest of the machines on the network.
How to stop NotPetya: kill-switch exists
According to the analysis of this ransomware, between 10 and 60 minutes after the infection the affected computer forces us to restart it, and in doing so it appears a screen that imitates the one of the disk check (CHKDSK) that although it seems that it is doing that in fact is Encrypting various files from our computer.
One of the first measures if we are affected by the problem is to turn off the computer at first if we see that screen of disk check. This will allow us to recover files that have not been encrypted if we start the computer with a recovery CD or USB, such as a USB Live. Ubuntu that gives access to the Windows file system to rescue those files to an external storage device .
A security expert called Amit Serper has discovered a theoretical way of avoiding infection: the kill-switch consists of creating a read-only file in the C: \ Windows \ folder that we will have to call “perfc” (without extension). According to their evidence, malware scans that drive and if it finds that file does not infect it.
Learning the lesson (one more time): backups and frequent updates
The WannaCry ransomware has already made many aware of how important it is to keep their operating systems, applications and services up-to-date to prevent various cyber attacks from taking advantage of potential security holes in these systems.
That adds up to an equally important one: making frequent backups that at least secure important files in secure locations (in the cloud or in external storage systems).
It is true that it is not always possible for companies to apply security updates as fast as they should, but still something must change in the mindset of such companies. The validation processes of these updates are long and imply to ensure that critical applications of the company are not affected, but these last cyber attacks make clear the cost that can have to assume a company that suddenly must turn off all its systems to To deal with these ransomware.
In the case of end users these obstacles do not exist, so we recommend using these two methods and gain some peace of mind. An external hard drive of 4 TB costs only 100 dollars, and any such attack usually asks for between 300 and 600 dollars without there being a total guarantee of giving us the decryption key that blocked access to our files. It does not seem like a bad investment to use an external drive or cloud storage, you do not think?
Cover | Gigazine