Goldeneye, Petna, Pneytna and Petya are all different tags to address to a single yet deadly cyber threat. This powerful ransomware that firstly spread through a software update mechanism, and later through a phishing campaign with malware-laden attachments, strikes again with newer and more powerful features to destroy your networks and systems.

What is NotPetya?

Petya was the name formerly given to a massive cyber-attack and potent ransomware infection in Ukraine and Russia where major companies of transportation, energy, health and government agencies were affected. However, this latest malware that has been highlighted as a new version of Petya is only similar at first but has different features that allow researchers classify it as a new form of ransomware: NotPetya.

 It is strongly believed that Petya could have been only a test since NotPetya is a more professional version that doesn’t have an obvious killswitch, is well – designed and has automated lateral movement. For that reason, its spreading mechanism which is better than WannaCry, makes it even more lethal.

What does NotPetya really want?

Unlike other ransomware attacks that are mostly conducted with the single goal of asking for money, this one has some intriguing features that seem to be a disguise for its real purpose. Some amateurish practices in the paying method have allowed the suspension of the email account where the money was supposed to be sent. This means that even if the person pays the ransom, it will be impossible to communicate with the hacker to get the key that unlocks the files.

Security experts claim that the boosted version of Petya was not designed to make money. It is more like a fast spreading not-really ransomware that targets organizations to cause damage and destruction.

How NotPetya works

NotPetya has two sophisticated protection techniques: a false Microsoft signature and XOR encrypted shellcode payload, both good enough to fool antiviruses and evade signatures check. Moreover, it addresses three different vectors or vulnerabilities for its proliferation:

• PsExec: This latest version of Petya abuses this tool for executing malicious code on other computers to spread the infection.

• Passwords collection: It extracts passwords from memory or the local filesystem and moves them to other systems.

• ETERNALBLUE: Even if Microsoft released this patch to prevent attacks like WannaCry, negligence of most organizations has allowed NotPetya to infect other systems by injecting malicious code into them.

As a typical ransomware, remastered Petya spreads via email, but it also tracks and alternates through all means possible to seize its few opportunities to cause the infection. Therefore, it is extremely important to be cautious and avoid vulnerabilities to prevent another outbreak.

How to protect your company from NotPetya

Our expert in Digital Security, Ivan Montilla Miralles, gives a piece of advice on protection to shield your networks against NotPetya – Petya:

• Incorporate vulnerability assessment management tools to your networks, and keep up with their security patches. I strongly recommend to acquire your licenses on Tenable products, as they always are updating their databases on signatures and vulnerabilities to give extra protection to your networks.

• Integrate real-time monitoring tools, as for example, AlienVault OSSIM & USM and LogRhythm. AlienVault counts on File Integrity Monitoring, while LogRhythm offers forensic analysis and complementary modules; which help you to identify on real time when files in your network suffers unauthorized modifications. These tools also raise alerts on ransomware attacks and assists you to solve them before it infects other devices within your networks.

• Consider to add extra protection to your network with endpoint security tools with intelligent softwares that detect early infections, and raise security alarms when a malicious code attempts to take control of your networks. The best option for doing this is the Trend Micro suite.

• Backup regularly your data. Do not expect a 0-day vulnerability to implement this good practice as you’ll never know when, where or how they strike.

• Instruct your employees to participate in workshops for knowledge updating, and be particularly persistent on the application of good practices in digital security. This is probably the best and easiest practice that prevents your company of being hit by a ransomware attack.

The urgent measure you need to apply in the next minutes to avoid being stricken by Not-Petya – Petya, is applying the security patches to your networks and OS. We can always assist you to do so, and also to walk you through the entire process of managing the vulnerability assessment cycle. Just contact us here.