On Tuesday, hundreds of companies around the world started reporting their systems had been hit by a new ransomware attack. Kaspersky Lab has named the exploit NotPetya and ExPetr, and it is based on one of the NSA hacking tools released by The Shadow Brokers months ago.
This latest ransomware scheme works much like the WannaCry campaign did last month, in that it freezes IT systems and encrypts files until corporations pay a ransom of $300 in Bitcoin to regain them. However, the functionality that enables it to do so is different at its core.
Hackers and cyber criminals are doubling down on internet crimes like these since they have proved to be both successful and profitable. WannaCry accomplished its mission last month, and a Korean hosting company paid roughly $1 million to data kidnappers earlier this month under similar circumstances.
#ICYMI Status #ExPetr #NotPetya #Petya
Report https://t.co/yh5y7WCcun Home user https://t.co/yddR7UCysa Biz Cust https://t.co/O10HBzoXZU pic.twitter.com/tddsVohv8E
— Kaspersky Lab (@kaspersky) June 27, 2017
How does NotPetya or ExPetr work?
Kaspersky Labs has been on the chase of NotPetya a.k.a. ExPetr since this morning, and it has narrowed down its origins to the EternalBlue and EternalRomance exploits.
These hacking tools belong to the NSA’s arsenal and were publicly released back in April by The Shadow Brokers, a group of anonymous hackers believed to have ties to the Russian government.
The customized exploits share several strings of code with Petya, another piece of ransomware that locked down hard drives and rose to prominence more than a year ago. Kaspersky, however, has detected the two are not related although this was believed to be the case at first.
Cyber security experts say that ExPetr, like Petya and past ransomware tools, relies on outdated operating systems and software for infiltration and spreading through corporate networks. Just one compromised terminal is enough to take down the rest of the network.
NotPetya mines credentials out of the system to infect other computers in the network, and once it had infiltrated it takes roughly an hour to display the malicious screen. Hackers advise people not to waste their time trying to decrypt their files on their own.
Kaspersky warns that this scheme could be more effective than WannaCry because it doesn’t simply ask for the ransom payment. It also requests companies to send their Bitcoin wallet ID and private installation key to a Posteo email address to confirm transactions.
Who has been affected by NotPetya and how to prevent it
As of this writing, security firms report that the ransomware has hit more than 2,000 companies across the globe and that the cyber criminals’ Bitcoin wallet registers more than $7,000 in payments.
Nevertheless, the Posteo address has since been taken down by the German service provider, leaving the victims of NotPetya without an escape route if they want to pay the ransom and recover their files.
Kaspersky data shows that a majority of targets are in Ukraine, Russia, and Poland. Italy, Germany, Belarus, Brazil, Estonia, the Netherlands, Turkey, and the United States also figure on the list of prominent targets.
ExPetr has compromised the Ukrainian central bank, capital airport, national power company, two postal services, and some private firms. Rosneft, the biggest oil company in Russia, is also a target.
Maersk, the Danish transnational shipping company, has been hit as well. Advertising firms from the U.K., food producers in Spain, and American pharmaceutical companies have also reported NotPetya infections.
Kaspersky suggests, as always, keeping all operating systems and third-party software up to date. Installing their anti-ransomware protection software System Watcher is also advised, as is not opening any suspicious attachments and backing up data at separate storage locations and keeping it offline.
Source: Kaspersky Labs