The latest ransomware attack has greatly impacted Europe and the U.S. on June 27th, 2017. A U.S. hospital is among the victims of this large scale cyberattack. Pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, an airport, and banks have been affected across Europe. The further implications of this attack are yet to be fully realized.

The ransomware is called NotPetya and upon infecting a computer demands $300 for the unlock key. Organizations looking to pay out the ransom after this attack will be at a loss, as the email account provided to send keys to the information has been shut down by Posteo. There is no way to recover these files, unless the organization practiced proper cybersecurity protocol and had backups to fall back on.

The exploit method from a leaked NSA hack called EternalBlue, which was also used in the recent WannaCry ransomware attack, was a key component of NotPetya. This ransomware is similar to the Petya variant many initial reports in fact labelled the ransomware as Petya. After Kaspersky performed further investigations it was discovered that this was an entirely new form of ransomware, thus the name NotPetya.

The differences between other ransomware and NotPetya are the expanded methods that NotPetya uses to spread across networks. These include:

Password Discovery
According to Forbes Article Petya NotPetya: A Ransomware More Powerful than Wannacry, David Kennedy a NSA analyst and cybersecurity entrepreneur found that NotPetya finds passwords on the infected computer by extracting them from the memory or the local filesystem. These passwords are used to move to other systems.

PsExec Usage
PsExec is used to carry out limited actions on other systems, NotPetya utilizes this tool to execute malicious code on other computers. An example would be if an infected PC has administrator access to the entire network, it can then run this code to further infect all computers.

These two methods are believed to be the reason why this attack has spread globally so quickly, making it a far more dangerous attack than the WannaCry ransomware as it not only preys upon outdated operating systems, these additional features means that no operating system is entirely safe.

This professional ransomware is a greater threat than WannaCry. While WannaCry had a kill switch and plenty of bugs, so far there is no such kill switch to be found in NotPetya. It is believed that this attack comes from the highly skilled cybercriminal underground.

Many infected companies had access to a patch for all EternalBlue hacks. Microsoft released a patch in response to WannaCry that updates even unsupported Windows systems such as XP. After the devastation of WannaCry it is shocking that so many have not patched in the meantime.

Are you prepared for a ransomware attack? Engage the Crossroads Cybersecurity team to address the potential threats to your organization and how to defend against cyberattack.