Do NotPetya Panick...
Currently, experts can’t agree what to name the latest malware outbreak which occurred on Tuesday, with the name NotPetya being the current fore-runner and the name used in this blog.
It has been found that NotPetya uses two exploits developed by, and later stolen from, the National Security Agency (NSA). It combines these two exploits (EternalBlue and EternalRomance) with additional code that steals network credentials, which then allows the malware to infect fully patched Windows computers.
A computer screen displaying Eternalromance, one of the NSA exploits used in Tuesday's NotPetya outbreak.
How NotPetya infects computers is still be investigated. However, it is thought that NotPetya originated with a malware ridden update of the MeDoc accounting software, although the developer denies this is the case. Analysis undertaken of NotPetya revealed that it is seeded by compromising the update mechanism of the MeDoc tax filing application, which is used extensively by businesses throughout the Ukraine. This has led to speculation that Ukraine was the target, and that Ukrainian Government officials are stating that this attack was state sponsored.
It has now been confirmed that the outbreak of NotPetya, which was originally thought to be a ransomware attack was instead found to be something much more worrying. As it was found that the malware encrypts the hard drive completely, making it virtually impossible to decrypt/recover the hard drive. It is likely that the risk of infection from NotPetya has now passed, however if infected there are two steps you can do which will help:
- Firstly, you can create a read-only file named perfc within the C:\Windows folder which NotPetya looks for prior to overwriting the MBR. If the file is present, then NotPetya halts. For businesses, this is a problematic solution, as this is a manual process which requires desktop support staff visiting each PC.
- Secondly, if you boot your PC and as part of the boot process you see a message which looks like CHKDSK stating that it is ‘repairing file system on C:’ then it is likely that NotPetya has launched and is busy encrypting the files on your system. At this stage switch off the PC immediately and do not turn the PC on again until the files which are not yet encrypted have been recovered from the hard disk.
Information is probably the most important asset any company has and with that in mind, information security should be at the forefront in the minds of all business boards and owners.
What lessons can be learned from this latest attack?
As normally malware spreads by poor security practices. One way to reduce the risk of infection by ensuring that all users are aware of what they should and shouldn’t be doing. The way to improve user awareness, is by regular security training and updates. Unfortunately, as this type of training doesn’t result in additional profit, many organisations perceive it as being an overhead and invest little in training. However, the flipside is that by not conducting training, businesses place themselves at a much greater risk of being successfully attacked by malware. What would the cost be to your business should if such an attack is successful?
At a minimum users should know:
- not to open any attachments they are not expecting,
- never click on a link contained within an email from an unknown source and definitely not if it is banking or finance related but should always manually browse to the banking site!
Acceptable use policies should stress that users should:
- only access business related websites,
- never install any software not approved by the company,
- know that torrent sites are a definitely no-no
- know how to deal with pop-ups that suggest there is a virus on the computer and by clicking this button, it will be cleaned.
Even though NotPetya would launch on fully patched systems, it is essential that security patches and updates are installed on desktop systems as they are designed to remediate known vulnerabilities.