NotPetya: different Ransomware, same solutions.
Kris'' Rides, CC
Founder | Cyber Security Staffing SME | Conference Speaker | Diversity Ally | Board Member | Penetration Testing | Virtual CISO
Another wave of ransomware has been hitting companies, hospitals, airports, banks, and government systems alike around the world, substantially within the Ukraine, but also affecting computers in France, Denmark, and within the US. Kapersky Labs reported earlier that more than 2000 attacks have been noted thus far. Like other ransomware, NotPetya has locked down computer systems and demanded bitcoin payment to restore them, though presently, there is no access to actually obtain the decryption key anymore as the email provided was shut down.
The protection for this is embarrassingly simple:
Update your Windows systems. All of them.
If you have already updated all of the computers on your network after the WannaCry attacks, then your systems should be safe... provided every single system and computer on your local network has actually been updated.
This malware, a version of Petya, uses the exact same EternalBlue exploit method as WannaCry in order to begin its infection. However, it also locates passwords within the infected machine's memory and uses them to move through the local network, using other code to then spread onto computers on the same network, even if those computers had been updated to be safe from EternalBlue's exploit. This combination has enabled it to spread rapidly within any system it has been able to access: if even one single unpatched computer is on the network, the malware can potentially gain administrative passcodes and spread like wildfire through an entire network, locking down every computer.
Sometimes, a single machine on a system may be missed, whether an old operating system, a rarely-touched machine in a back corner, a laptop, or even a new Windows 10 computer that simply hadn't been updated yet. That computer, if it is on your network, could potentially open the door to your entire business being locked down under ransom with no way to unlock it even if you pay the ransom.
Always have a Backup Plan!
If you do not already have a regular, tried-and-tested backup procedure in place, this is a good reminder of why it is important to have one!
This particular ransomware appears unrecoverable, since the email address from which the hackers had communicated decryption methods was shut down: the only way to recover from this infection would be restoring the system from a backup.
Other risks beyond ransomware also exist, ranging through numerous other computer infections or malicious hacking, which a system restore from an established backup could remove while returning your files and systems to working order. Backups need to be external to the system and kept offline, or they too can be infected by malware such as this that proliferates within a network all on its own.
Avoid the dreaded "Ooops, your important files are encrypted." Do not become the next victim! Contact us and ask about our virtual CISO service; Tiro Security can provide a risk assessment on your business to ensure that you don't have gaps in your security program that could be exploited in this way.