NotPetya was in the news this week, making headlines for being yet another ransomware attack that spread like fire – affecting organisations in several verticals across 65+ countries, drawing comparisons with the WannaCry attack that recently hit over 200,000 machines globally.
While it shows characteristics similar to a ransomware, NotPetya is more akin to a wiper, which is generally regarded as a malware responsible for destroying data on the target’s hard disk. The ransom collection as of this writing is just over $10,000. Additionally, the email address used in the ransom request has since been shut down.
NotPetya infects the master boot record (MBR) and prevents any system from booting. And even paying the ransom would not have recovered the machine! In that sense, it is also different from the 2016 Petya threat in that the damage from NotPetya is not reversible.
NotPetya leveraged the EternalBlue (well-known with WannaCry) as well as EternalRomance, both exploiting the MS17-010 vulnerability. However, the attackers also leverage other non-exploit, legal mechanisms to laterally spread – such as psexec and windows management interface, further expanding the reach to include machines patched for the MS17-010 vulnerability.
SentinelOne customers using SentinelOne Enterprise Protection Platform are proactively protected against this MBR attack. However, we also advise customers to ensure that all machines have installed the latest Windows updates to reduce the threat impact. Additionally, limiting or removing administrative permissions for regular users will further reduce the attack surface.
Check out SentinelOne’s “Dissecting NotPetya: So you thought it was ransomware” report which includes a more technical analysis of NotPetya, including how it is installed and how it spreads.
By Caleb Fenton, Joseph Landry, Nir Izraeli, Itai Liba, and Udi Shamir, Senior Security Researchers, SentinelOne Labs. View original post.
Related Posts
Russian Espionage Malware Adapted for Ransomware Scams
According to Sentinel Labs, the malware, called “Gyges,” targets Windows 7 and 8 users running…
WanaCrypt0r aka WannaCry ransomware wreaks havoc worldwide
The WanaCrypt0r ransomware hit with a vengeance on Friday, with the outbreak beginning in Europe, striking…
Ransomware by the Numbers
Everyone in the security industry is talking about. Everyone who has been a victim of…