Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown
Blog News

NotPetya – a Wiper Disguised as Ransomware?

Eglė Juodytė

Eglė Juodytė

Jun 29, 2017 · 3 min read

NotPetya – a Wiper Disguised as Ransomware?
Starting Tuesday (June 27), a major cyber attack has been hitting Windows computers in Europe and the US. Firstly thought of being a ransomware, the malware dubbed NotPetya appears to be designed to permanently destroy data instead of making money. The malicious software has already affected more than 2,000 global targets, including large companies such as advertising giant WPP, confectionary and beverages maker Mondelez International and Danish shipping firm Maersk.

How is NotPetya spreading?

Just like WannaCry ransomware that has struck the world less than two months ago, NotPetya targets computers running on Windows operating system. The NotPetya uses EternalRomance – one of the leaked NSA-built exploits – for seeding itself. The EternalRomance vulnerability is developed to gain access to a computer through SMBv1 legacy protocol, available on Microsoft Windows. The way NotPetya reaches Windows computers is through phishing emails containing a malicious attachment. Once a user opens such attachment or clicks a link, the malware infects the computer. It waits for an hour and then forces machine to reboot, which is required to encrypt the system files. After the reboot, a ransom message asking to pay $300 in bitcoin in order to decrypt and regain access to the files appears on a screen. However, it seems that there is no point for victims to pay the ransom, as it was discovered that NotPetya might be something more serious than a ransomware.

So what is NotPetya?

At first it was thought that the malware is a new version of Petya ransomware from the 2016 or a complex Petya-like package. But according to the latest expert analysis, the malicious software appears to be not a ransomware after all. As noted by researchers, Tuesday’s NotPetya’s code is too aggressive for a typical ransomware, as it is incapable of recovering data of infected systems. Since the idea behind ransomware attacks is making money by giving the locked data back after ransom payment is received, the mechanism of NotPetya looks inaccurate. An email address provided in a ransom message was reported to be suspended, which means that there is no way to contact hackers in order to request a decryption key. On top of that, NotPetya gives the same Bitcoin payment address for every victim, instead of generating a custom one for each case, which is not common for a professionally developed ransomware. According to the latest updates from security researchers, NotPetya is a wiper, not a ransomware. The fast-spreading malware was designed to cause damage by shutting down critical system infrastructures and making data impossible to be recovered. It is speculated that accrediting the attack as a ‘ransomware’ is only a ‘cover’ to exploit media interest, making use of the recent WannaCry ransomware attack buzz. The Ukrainian authorities argue that NotPetya masks a state-sponsored attack targeted against country’s institutions – the attack emerged in Ukraine affecting banks, airport and energy companies. Nevertheless, the true origins and motives of the attack remain unclear.

How to protect your system?

The NotPetya tends to spread within internal networks, instead of infecting external systems, what might have had an impact on slowing down the infection rate. Despite of that, it is still important to take some precautions. Here’s what you can do to protect your system from the latest cyber attack:
  1. Be aware of unusual messages – in case you encounter a “Check Disk” note, power of your machine immediately. This will stop the encryption process initiated by the ransomware.
  2. One way to prevent your device from getting infected is creating read-only perfc.dat file: go to C:Windows folder, create a file named perfc.dat and make it read-only.
  3. If you have received a suspicious email from your bank or any other service provider, delete it immediately. Most importantly, do not download and open the attachments or click links it may contain.
  4. Do not close pop-ups that warn about a malware by clicking on them; use your keyboard shortcuts instead.
  5. Always update your system to receive security patches for latest vulnerabilities, so hackers could not exploit them.
Also, you should always keep a backup of your files and use reputable anti-virus software. For additional safety, using a VPN service, like NordVPN, is recommended. It protects you from malware that spreads through online access points, especially when connected to public WiFi networks. VPN encrypts your Internet data and your activity online with the most advanced security protocols. Nevertheless, it is up to you to decide whether it is safe to download a specific file, as files from untrusted sources potentially may be infected with malware.