To call NotPetya ransomware is a bit of a misnomer. It is malware dressed up to look like ransomware. The aim does not seem to be monetary (as the payment methods were so poorly implemented and have now been blocked), but instead it has been designed to cause widespread disruption and destruction. It first hit machines in Ukraine via a compromised update for an accounting package, and spread from there.

It looks for a certain file before launching (to see if the machine has already been infected) which means that a vaccine can be created to guard against it (click the link for details). You may also want to get your IT team / partner to block the execution of perfc.dat, perfc.dll and psexec.exe (which the virus uses to jump from machine to machine within a network).

The usual advice still applies – make sure that Windows machines (servers and workstations) have the latest patches (especially MS17-10 which was released in March), make sure your firewalls are correctly configured (including personal firewalls on laptops) and make sure you have backups of servers and critical workstations.

This virus showed a major jump forward in sophistication. Not only did it use NSA exploits (as did WannaCry) but it also incorporated password stealing functionality  (Mimikatz) usually employed by hackers who are after corporate information. This  enabled it to use those passwords to infect patched machines as long as they were on the same network.

Organisations are going to have to invest more time in ensuring that their IT systems are secure, including strengthening the security of accounts, workstations and servers.

This isn’t the only NSA exploit that was stolen, and the inclusion of more sophisticated hacking tools in the virus shows an escalation in the methods that virus writers are employing.  Patching helps, but it’s not the complete answer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s