Well, it looks like the world didn’t learn their lesson with WannaCry ransomware that wrecked secure networks all around the world last month. There’s a new kid on the block using the same attack strategy, a ransomware worm that behaves very similarly to WannaCry in its execution, and asks people to pay for access to their data in Bitcoin. There are also workarounds if you are infected, which helps significantly in recovering from an infection.
NotPetya (named due to its similarities with, but also differences to the 2016 Petya malware) is a much simpler ransomware than WannaCry was, and it’s clear that the aim isn’t to actually make the creators any money. For starters, the ransomware locks up your files using a simpler encryption mechanism, but it doesn’t protect it that well (in fact, a decryptor is already available for it on Github). The ransomware’s instructions also ask you to install the Tor browser, and to buy a decryption key straight off a website hosted on the Tor network, which you can then use to unlock your files.
Like WannaCry, it asks for $300 in Bitcoin to be paid to a particular wallet (which has accepted 45 payments thus far). Additionally, it didn’t raise the fee after a time limit was reached, which gave the WannaCry creators much more bargaining power with desperate PC owners who wanted their files back. There are multiple versions of NotPetya, some of which are better translated than others, and some which ask you to send payment confirmation to an email address instead of registering it on the .onion website on the Tor network.
Unlike WannaCry, NotPetya does not hide its encryption keys or algorithms that well, and it was broken in a matter of hours. WannaCry would hold the encryption key in RAM before the system was rebooted, so there was always a way to extract that and figure out how to break the encryption if you were newly infected. NotPetya uses its own encryption software and it’s not as robust, which is why it can be thwarted so easily.
NotPetya uses some of the same methods to spread through the network that WannaCry employed, but it doesn’t outright attack networks open to the internet, nor does it try scan the rest of the IP addresses on the internet to find another victim. Instead, it gets onto a network first through an email with the virus payload, typically inside a PDF file or a file that is in ZIP format, and requires a password from the user. Once it gets the password, it copies itself into one of several folders inside the operating system, and alters the hard drive’s boot files so that it will persist between reboots (or, at least, one of the versions of NotPetya does this).
It then spreads through the network using known exploits for Windows XP, Vista, 7, and Windows 8/8.1. Windows 10 is unaffected, because most users have had their systems patched to prevent attacks like these spreading inside a network. Like WannaCry, it can make use of the EternalBlue NSA-made hacking tool to gain access to systems running an unpatched version of Windows, or it can use the host to directly attack another machine through a Windows file sharing service exploit. Once in other machines or a server, it can remotely execute code that will scrap all user passwords on the machine.
So if you or someone you know is in the habit of opening files from people you don’t know, or files that require you to enter your password, don’t open those emails and don’t click any links you might find in there. If you can do that, you’re safe from this kind of infection. There will be more attacks like these in the future though, and there are increasingly sophisticated methods of getting ransomware on your computer these days.
Unfortunately, system admins who haven’t updated their computers in the weeks since WannaCry made headlines around the world will have to now patch their systems pronto. Having two widespread ransomware attacks gain speed in such a short period of time is more than enough reason to update your network.