A new Ransomware campaign dubbed “NotPetya” is currently infecting IT systems across the globe with government bodies, critical infrastructure and large businesses affected.
The ransomware’s patient zero machines are believed to have originated from Ukraine. The virus specifically infected machines through software called Doc.ME, which is a Ukranian government-approved accounting software. Another infection source reportedly involved the hacking of the website for the Bakhmut region of Ukraine, which was then used for a watering hole attack, helping to distribute the malware. It then went on to hit targets across Europe, the UK, India, Israel, Australia and the US. Russian oil company Rosneft, shipping operator Maersk and the world’s largest advertising firm, WPP, have also been affected by the ransomware virus. The NHS appears to be unaffected. The WannaCry campaign, which hit last month, took out 48 NHS trusts – leaving hospitals all over the UK paralysed. However a number of companies have been affected in the UK and a spokesperson for the National Cyber Security Centre has stated “We are aware of a global ransomware incident and are monitoring the situation closely.”
Despite comparisons to the WannaCry ransomware virus due to the rapid spread and scale of the attack, NotPetya appears to differ in that it seems to have been a targeted attack. It doesn’t seem to spread over the internet to other users, rather it infiltrates a business and damages its network and supply chains. The virus is not believed to exploit any vulnerabilities, it simply disguises itself as an update.
However there are some similarities. Bitdefender claims that the ransomware used is GoldenEye, an improved version of Petya. Chunks of code are used in both Petya and GoldenEye and combines components from Petya, WannaCry and other versions of GoldenEye, making it a new threat.
The main similarity NotPetya shares with Petya, is the act of encrypting its target’s Master Boot Record, as does NotPetya. Interestingly, both NotPetya and WannaCry perform rather poorly as actual ransomware. Both have a rather meagre ransom of $300 (£234) for decryption. Suggesting that both attacks were carried out to cause damage and disruption rather than to make money for the perpetrators.
The NotPetya virus uses the same exploit as the WannaCry virus, the EternalBlue exploit famously used by the NSA. EternalBlue, a vulnerability on Windows systems with outdated versions of the Windows File and Printer Sharing service, has been patched by Microsoft a couple months ago, however it appears that many have not yet applied it. The patch can be found here.