The number of ransomware attacks has increased a lot in the period of the last couple of years. The smaller attacks basically never stop, but what we are talking about are big ones, that can deal some serious damage.
The last big attack was as recently as a month ago. It was attacking computers around the world, but the worst attacks were concentrating on Ukraine. The name of this ransomware is NotPetya, and its targets were airports, banks, power companies, posts, and alike.
After hitting Ukraine, it went on and attacked up to 64 countries. Today, we will take a look at what this ransomware is, what systems does it target, and how to protect yourself from future attacks.
What is NotPetya?
In the early stages of the attacks, researchers were trying to figure out which ransomware was responsible for all that chaos. At first, they thought it was Petya ransomware, that is made to hold files until the ransom was paid. However, it soon became clear that this is something else that only reminds of Petya.
Today, we know that the NotPetya ransomware has had one version of Petya for its base, but it changed into something new. After a while, it became apparent that the ransomware isn’t really after money. The poorly design of the payment system was confirmation enough. However, the ransomware wasn’t only holding the files for ransom, but instead, it was also damaging and corrupting anything it could.
Its real purpose was to cause damage, while the ransomware part was a cover, an excuse. But, what was making it so dangerous, and what was allowing it to become such a threat? Well, the researchers have found that it uses an exploit by the name of EternalBlue. This is an exploit that is thought to belong to the NSA, and that it was stolen from it.
The exploit was made especially to target one of the most vulnerable protocols by the name of Server Message Block. This is a protocol that we use for sharing files, printers, as well as serial ports between PCs. So basically, this vulnerability allows hackers to send malicious code to the computer. Also, this is one of the vulnerabilities that the hacking group that calls itself The Shadow Brokers stole in April of this year.
Another quality that NotPetya has is a special “worm” component. Usually, ransomware needs to trick the user into downloading it. It does that by attaching itself to some other piece of software. Alternatively, it just disguises itself to look like one and tricks the user that way. When it gets to a computer, it encrypts files, and it holds them for ransom. The message that it displays informs the victim of the situation, and demands money, usually Bitcoin.
Then, last year, Petya took it even further than that, and it was seen encrypting the entire hard drive. It was able to do this by infecting the master boot record and overwriting the program responsible for starting the boot sequence.
This all sounds pretty bad, but the truth is that the ransomware could only attack one single PC at the time. This was the ability that all ransomware shared. And then WannaCry attack brought the change to that as well. The ransomware was now capable of infecting the computer without tricking the user. In fact, the user was not necessary at all. And NotPetya demonstrated the same ability after that.
Basically, it can do what Petya could, only without the need for a user. Microsoft even said that one of its attack vectors includes the special ability to steal users’ credentials. Once it has the credentials, all it needs to do is to scan the local network and soon it can establish valid connections.
Thanks to the use of file-shares, NotPetya can even multiply itself and share itself across the local network. If the computers on that network do not have EternalBlue vulnerability patch, they will definitely fall victim to it. According to Microsoft, there might still exist another such exploit by the name of EternalRomance. This one, if it exists, is also said to belong to the NSA.
Another problem with NotPetya was the bad payment system. Usually, the victim would receive a ransom note and an email address to which they should send the funds. When they do, the email address will send back the decryption key. However, in the NotPetya’s case, the email address went down pretty quickly thanks to the email provider’s quick reaction.
The company, Posteo, has said that they do not tolerate the use of their emails for such actions. Because of that, the email was shut down. This obviously suggests the bad payment system that was not thought through. The money could not go through once the email address was taken down, but the attack still continued. This and the other elements of this attack have suggested that earning quickly of other people’s misery maybe wasn’t the point of the attack after all.
Upon investigating, Microsoft has uncovered that the attack started in the company called MEDoc, in Ukraine. In fact, Microsoft conclusion was that the attack originated with the company’s updater process.
What systems are vulnerable to the attack?
So far, this ransomware only goes after companies and organizations with a Windows PC as its base. It was even possible for it to take control over the monitoring system in Chernobyl. When it comes to the US, this attack was able to hit the Heritage Valley Health System and affect all facilities that have anything to do with their network.
The airport in Kiev has also experienced the consequences of such an attack, The ransomware doesn’t seem to target any specific version of Windows, or at least nothing that Microsoft was able to pick up. Still, it is probably safe to assume that you can end up in danger if you use pretty much any computer, from Windows XP to Windows 10.
How to protect yourself from NotPetya?
In order to help with blocking NotPetya and avoiding ransomware attacks, Microsoft has already sent the updates that will protect you from these attacks. In fact, this update was sent off back in March, which is months ago. The fact that there were still so many computers that were suffering from this attack only means that they did not install the update.
Because of this, Microsoft urges you to do it as soon as possible if you still don’t have it. Otherwise, you might become the next ransomware victim. Installing this update is the most effective way of protection. There are two more things that you might do if you can’t install this update for some reason.
- Disable Server Message Block version 1, and instruct your router and firewall to block every traffic from Server Message Block on port 445.
- Open your File Explorer and go to the Windows directory folder. Usually, that is “C:\Windows”. There, you have to create a file with the name of “perfc”. Set it to “Read Only”.
You, of course, can’t create a file in this directory, but you can open a Notepad and save a file by the name of “perfc.txt”. Delete the ‘.txt’ part, accept the warning and still change the file to Read Only. Do this by right clicking it and choosing Properties. In there, find the read-only option, and check it.
After doing this, if NotPetya was to infect your device, it would first scan it to see if you have this file. When it finds it, it will assume that the device is already under attack, and it will not bother with its own attack. Still, there is no guarantee that this will work, especially now when everyone knows about it. That is why we suggest using another precaution:
Use a VPN
With a VPN as a precaution on your side, you will protect your data flow, as well as become anonymous. However, another of the perks that this tool brings along is malware protection.
Through a series of security layers, VPN will keep you safe, secure, and anonymous online. It will help you avoid malware, and it will do whatever it can to protect you from getting one of them on your device.
Apart from that, it will keep your data private, and your IP clean of your online actions.
The best VPN that we could find is TorGuard. It can offer you an enormous server network, and tons of other features, including different packages. All of which will cost you only around $10 per month.
|24/7 Live Chat|
|Residential / Dedicated IP for permanent streaming access|
|Has Mobile App + PC / Mac Support|
|Stealth VPN / Advanced Obfuscation techniques|
|Visit VPN Provider||Visit TorGuard||Visit IPvanish||Visit PIA|
NotPetya is a serious threat that can harm your device and your files a lot. Paying the ransom will not help since the money probably won’t even reach the hackers, so don’t bother with that. Instead, try to protect your device and make it ransomware-proof by following the methods we described. Additionally, create a backup that you can count on in case that you do get an infection.
Apart from that, click carefully, and don’t trust unknown emails, apps, programs, and alike.