Reason Core Security discovered Petya/NotPetya ransomware on June 27, 2017 through its real-time protection feature, detecting it as Ransomware.Petya. This threat was discovered during its attempt to send malicious commands to Windows components. Petya/NotPetya may be an upgraded version of the older Petya ransomware, which first surfaced about a year ago, but according to some security firms, it’s an entirely new variant, prompting its other name, NotPetya.
Unlike common ransomware which encrypts certain types of files like documents or images, this variant aims to completely block the access to the entire hard drive.
RCS users were protected from this threat when it was first discovered therefore their systems were safe. As of now, other security programs have been able to protect against the ransomware.
What We Know
Unlike WannaCry, there is no known killswitch for the threat yet, so the outbreak is spreading much faster. Petya/NotPetya affects the boot loader from the Master Boot Record and forces users’ computers to load its malicious code instead of the Operating System installed on the PC. Asymmetrical encryption with long keys make it impossible to decrypt files without the key, which the offender politely offers its victims for a fee, of course.
This new/not new variant found its way to users’ computers through fraudulent Dropbox links. Thousands of HR employees received an email pretending to be a link to a resume sent by a job applicant. Clearly, users never got the CV but got a blue screen instead, which meant that Petya had started its encryption process. At present, Dropbox has removed all remains of Petya from their storage.
Reason Core Security specialists noted that while the exploit is running with Administrator permissions, it’s able to encrypt the computer’s MBR (master boot record). However, if it is only running under a user account, it will encrypt files on the drive according to its blacklisted extensions.
Petya/NotPetya has allegedly been using the NSA EternalBlue exploit while spreading throughout internal networks with WMIC and PsExec, which makes even patched systems vulnerable.
The attacks originated from Eastern Europe, Ukraine and Russia early on June 27, 2017 and have gone global in a matter of hours.
Tips to Avoid Petya/NotPetya and Ransomware in General:
- Ransomware often spreads through infected links so avoid clicking on shady links and email attachments.
- Be sure to have a backup and disaster recovery plan in case you do get infected. You don’t want to pay the decrypt fee; doing so shows attackers that you’re a good candidate for reinfection.
- Make sure to keep your OS fully updated. Ransomware can infiltrate through known weaknesses and vulnerabilities. Security patches essentially fill those holes to prevent ransomware from getting in, but it’s up to you, the end user, to keep them updated.
Stay tuned to the RCS blog for further updates on this emerging situation. As soon as we know more, we’ll let you all know.