NotPetya: A wiper disguised as ransomware

What is NotPetya?

At first it was thought that the malware was a new version of the Petya ransomware from 2016 or a complex Petya-like package. But according to expert analysis, the malicious software was not a ransomware after all. As noted by researchers, NotPetya’s code is too aggressive for a typical ransomware, as it is incapable of recovering the data of infected systems.

Most ransomware is intended to only encrypt data until a ransom is paid, but NotPetya doesn’t appear to be designed for this purpose. An email address provided in a ransom message was reported to be suspended, which means that there is no way to contact hackers in order to request a decryption key. On top of that, NotPetya gives the same Bitcoin payment address for every victim, instead of generating a custom one for each case, which is not common for a professionally developed ransomware.

According to updates from security researchers, NotPetya is wiper malware, not ransomware. The fast-spreading malware was designed to cause damage by shutting down critical system infrastructures and making data impossible to recover. It is speculated that accrediting the attack as a ‘ransomware’ was only a ‘cover’ to exploit media interest, making use of the buzz around WannaCry ransomware attacks.

The Ukrainian authorities argued that NotPetya masks a state-sponsored attack targeted against countries’ institutions – the attack emerged in Ukraine affecting banks, airports, and energy companies. Nevertheless, the true origins and motives of the attack remain unclear.

How did NotPetya spread?

Just like WannaCry ransomware, NotPetya targeted computers running the Windows operating system. NotPetya used EternalRomance to seed itself. The EternalRomance vulnerability was developed to gain access to computers through SMBv1 legacy protocol, available on Microsoft Windows.

NotPetya spread through phishing emails containing malicious attachments. Once a user opens such an attachment or clicks a link, the malware infects the computer. It waits for an hour and then forces the machine to reboot, which is required to encrypt the system files. After the reboot, a ransom message appears asking the user to pay $300 in bitcoin. In return, the message claims, the data can be decrypted. However, it seems that there is no point in victims paying the ransom, as NotPetya isn’t really ransomware at all.

How to protect your system

The NotPetya tends to spread within internal networks, instead of infecting external systems, and this might have had an impact on slowing down the infection rate. Despite that fact, it is still important to take some precautions. Here’s what you can do to protect your system from the attack:

• Be aware of unusual messages. If you encounter a “Check Disk” note, power off your machine immediately. This will stop the encryption process initiated by the ransomware.
• One way to prevent your device from getting infected is to create read-only perfc.dat file: go to C:Windows folder, create a file named perfc.dat and make it read-only.
• If you have received a suspicious email from your bank or any other service provider, delete it immediately. Most importantly, do not download and open the attachments or click any links it may contain.
• Always update your system to receive security patches for the latest vulnerabilities, as hackers can exploit out-of-date operating systems and applications..

You should also keep a backup of your files and use reputable anti-virus software. For additional safety, using a VPN service, like NordVPN, is recommended. NordVPN offers robust protections against websites known to spread malware, and can prevent man-in-the-middle attacks.