On Tuesday, another global ransomware attack was unleashed, disrupting business activities for many industries across 65 countries, including one U.S. hospital.
Cybersecurity researchers are calling this malware, “NotPetya.” It is a ransomware attack like Petya and WannaCry, but different enough to qualify as a new form of ransomware. Current reports indicate that NotPetya is both more virulent and dangerous than its predecessors
What we Know
NotPetya is a ransomware variant that encrypts users’ data files and demands $300 (USD) in ransom to decrypt the hostage data. Like WannaCry, NotPetya exploits the EternalBlue Windows SMB vulnerability to infect unpatched systems. Unlike WannaCry, NotPetya attacks only impact computers on a local network not the entire internet.
NotPetya can harvest credentials from infected machines to laterally move through the network as well as leverage the capabilities of the PsExec. and Windows Management Instrumentation (WMI) tools to spread the infection by execution of malicious code on other computers throughout the network.
There have been over 2,000 organizations across the globe impacted, with some paying the ransom and others dependent on backup as the email account to pay ransoms has been blocked by the service provider.
What is Suspected by Researchers?
It is believed that NotPetya is a variant of Petya/Petrwrap. The variant uses three attack vectors:
- As a malicious email attachment, malicious payload is downloaded when users approve Office’s request to download these resources
- As a network worm, exploiting system with missing patches from MS17-010
- As a network worm, using account credentials found on an infected machine
This research is ongoing and could reveal more methods and payloads used by NotPetya. The HCI Group will continue to monitor the situation and keep you informed.
The Following Steps are Encouraged to Minimize Impacts:
- Create a file called perfc (with no extension) in the %windir%. This appears to prevent the malware from spreading to MS17-010 patched systems.
- Leverage Group Policy (GPO) to block access to the ADMIN$ share to prevent manipulation of PsEXEC. /WMI tools.
- NotPetya creates a scheduled task that reboots the computer one hour after infection. Remove any reboot tasks to prevent rescheduling.
- If a machine reboot occurs and the message banner displays “Windows 200x64 CLEAN (Clean MS17010 vulnerable) (Running) -Oracle VM VirtualBox” -Power off immediately- this interrupts the encryption process.
- If not already completed apply the MS17-010 patch and disable SMBv1 File-Sharing protocol on all systems.
We understand this will not be the last cybersecurity attack. All healthcare organizations should have existing controls in place to prevent and mitigate the impact of these attacks to ensure the availability of systems, these should include:
- Automatic Workstation OS updates
- End-point security and malware tools (ransomware detection)
- Email monitoring tools to detect and block malicious attachments
- Data backup systems (automated and tested frequently)
- Healthcare Cybersecurity awareness training that discusses phishing, ransomware and email attachments
- Periodic review of administrator accounts (especially domain administrators) audit use for administrator activities only.
- Network monitoring tools and configurations that monitors systems functionality aligned with business purposes.
- Updated policies for downtime management
Click here for more information on healthcare cybersecurity.
If you’d like to discuss your security concerns, security strategy, or to learn more about reducing risk in your environment, click "contact us" below.