Petya ransomware goes global -- what's happening and how to protect yourself
The ransomware attack we reported yesterday may have begun in the Ukraine, but it spread rapidly across Europe and has now hit companies in Australia and the US including pharmacy giant Merck.
A variant of the Petya ransomware now being dubbed 'NotPetya', it spreads initially by phishing emails and once on a system the ransomware demands $300 in bitcoin. When it's installed on one system behind a firewall it's able to spread rapidly to others on the same network.
The attack uses the same delivery method as last month's WannaCry attack, an exploit known as 'EternalBlue' within the Microsoft Server Message Block (SMB v1) protocol. What's concerning is the rapid spread of the attack given that a patch to prevent this has been available for some time.
"EternalBlue exploits a known vulnerability within the SMB v1 protocol, which allows attackers to execute arbitrary code using specially crafted packets," says Paul Edon, director of international customer services at Tripwire. "Microsoft originally released a patch for supported Microsoft Operating Systems in mid-March 2017. After the WannaCry ransomware attacks, which also used EternalBlue to traverse networks, Microsoft released a further patch for legacy operating systems such as Windows XP and Windows Server 2003. Patch Management is a Foundational Control that forms an important part of the technical security strategy. If for reasons of legacy or critical operations these patches cannot be deployed, then it is crucial that organizations assess the risk accordingly and use further mitigating controls to monitor and protect those systems."
The security update MS17-010 is available from Microsoft TechNet for anyone who has yet to apply it. Stu Sjouwerman, CEO of security awareness training firm, KnowBe4 says, "If you have not done so yet, apply this patch immediately. From what we have been able to learn, this new worm spreads through SMB just like WannaCry so when we're talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It would only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm." Sjouwerman also recommends that staff be reminded to "Think Before They Click" when they receive any out of the ordinary emails.
Cyber security company Cybereason has discovered a kill switch for the infection. NotPetya searches for its own filename in the C:\Windows\ folder before installing and teminates if it’s found. Creating a file named perfc, with no extension name in C:\Windows\ should kill the infection before it can encrypt files. More details on the Cybereason blog.
So far, despite the disruption it's causing, the attack doesn't seem to be bringing its perpetrators much financial reward. As of 2:30 pm EST yesterday, blockchain records show that 27 transactions have been made to the target wallet, totaling just $6,820.