By using this web site you accept our use of cookies. More information about cookies
Accept
Infopulse - Expert Software Engineering, Infrastructure Management Services
By using this web site you accept our use of cookies. More information about cookies
Accept
Infopulse - Expert Software Engineering, Infrastructure Management Services
Infopulse - Expert Software Engineering, Infrastructure Management Services
Send message
Send message Please fill in this quick form and we will send you a free quote shortly.
* Required fields
Your privacy is important to us. We will never share your data.
Subscribe to our updates Be among the first to get exclusive content on IT insights, innovations, and best practices.
* Required fields
Your privacy is important to us. We will never share your data.
Subscribe to our Vacancies Please fill in this quick form to be among the first to receive our updates.
* Required fields
Your privacy is important to us. We will never share your data.
Subscribe to our updates Be among the first to get exclusive content on IT insights, innovations, and best practices.
* Required fields
Your privacy is important to us. We will never share your data.
Photo of Oleg Diachuk Send an email to Oleg Diachuk Please fill in this quick form to contact our expert directly.
* Required fields
Your privacy is important to us. We will never share your data.
Infopulse - Expert Software Engineering, Infrastructure Management Services
Read the Full Case Study Don't miss the most interesting part of the story!
Submit this quick form to see the rest and to freely access all case studies on our website.
* Required fields
Your privacy is important to us. We will never share your data.

Taking Cybersecurity Precautions as NotPetya Encryption Malware Hits Businesses

With the recent outbreak of Petya (NotPetya, ExPetr) Malware, in our new cybersecurity blog post Infopulse wants to inform our clients and partners about the latest findings and analysis regarding the massive cyberattack, which affected businesses across Europe and the USA.

NotPetya Malware Summary

On Tuesday, June 27, 2017, a major multi-pronged cyberattack campaign similar to the WannaCry campaign hit multiple companies across primarily Central, Eastern, and Southern Europe, with a focus on Ukrainian, German, and Polish companies. At the same time, the Nordic, Western Europe and Asian countries reported very limited attacks and seem to be mostly unaffected by the threat.

As in the case of the WannaCry attack, NotPetya malware targeted large businesses. Known affected companies include Maersk, Merck, WPP, DLA Piper, Nuance Communications, Deutsche Post, Metro, Evraz, Rosneft, Mondelez and more in the USA, Ukraine, the UK, Denmark, Israel, Norway, France, Germany, India, Netherlands, Poland, Russia, Spain, etc. reaching 20,000 machines and businesses across 60+ countries.

NotPetya Attack Mechanism

There is a disagreement in the security community whether the latest malware campaign featured a new version of the Petya.A ransomware family or is a completely new threat. While having many similarities and sharing parts of its code with the original Petya.A ransomware family, the new malware has been called ExPetr, Petna and NotPetya due to distinct differences with original Petya.A.

While no single element of the attack is sophisticated, the combination of:

  • exploitation of unpatched vulnerabilities
  • distribution mechanisms (if the software update theory is correct)
  • multiple mechanisms for lateral movement as well as
  • exploiting suboptimal hardening of endpoints

made the overall attack quite potent and raised concerns in regards to protection against similar attacks.

NotPetya Attack Mechanism

The low quality of the original Petya.A code and an easily detectable kill switch, allowed to quickly mitigate the attack. The latest evolution of “Petya/NotPetya” doesn’t require machines to have the same vulnerabilities, and may have different ways of distribution.

The initial attack vector is not confirmed at this time. The attack seems to use the same primary NSA EternalBlue and DoblePulsar exploits that were the backbone of the WannaCry ransomware campaign in mid-May 2017. However, it has more mechanisms to spread within a network compared to WannaCry.

As reported by IBM X-Force, Cisco, Kaspersky and others, there are several opinions about the infection scenario:

  • Spreading
    • Distribution via the hijacked software update of M.E.Doc (Ukrainian tax and document management software).
    • Classic fishing attacks narrowed to well-known big companies on financial, transport and governance areas
    • Watering hole attack (through the compromised media websites).
  • Attack scenario
    • Upon successful infection, the master boot record (MBR) and/or selected files are encrypted, and the user is requested to pay the equivalent of $300 in bitcoins to decrypt their data. Those who paid the ransom, however, have not received decryption keys.
    • According to Kaspersky Labs, the malware might be a wiper with the aim to destroy the data and was hidden behind the ransomware attack.

At this moment, there is no known mechanism to decrypt encrypted files and folders. Independent researchers informed that the malware encrypts service part of files and make these files not accessible and unrecoverable. However, Microsoft together with the Ukrainian and international companies have reported to be working on decryption tools.

CyberSecurity Protection against Encryption Attacks

At this time, we believe the initial attack wave is over and the threat is currently under control. Most companies were quick to recover from the attack. Sensitive data was unaffected, as the malware had no means to transfer data to the third parties. The direction of the attack and malware distribution raised concerns whether it was a single-person poorly written prototype released too early or a focused sabotage attack, organized with high-level skills. Per Microsoft, this attack may have been only the first wave.

Most ransomware families are continuously refined and updated, and we must expect that both this specific variant and others will continue to be a significant risk factor in the foreseeable future. The majority of the affected machines had an outdated Windows 7, which is not supported by Microsoft and is not recommended for businesses. For any business, it is strongly recommended to implement a holistic approach towards cybersecurity.

Infopulse will continue to monitor the situation. Our company makes all efforts to protect own infrastructure and avoid any negative destructible influence on our clients.

This write-up will track known developments, and information contained herein is subject to change.

Subscribe to our Newsletter