Less than two months ago, the WannaCry ransomware attacks wreaked havoc on cybersecurity systems on more than 300,000 machines in 150 countries. The attacks, however, soon fizzled out because of various flaws in the malware’s design and other factors like payment setup. A new wave of Windows ransomware attacks by an offshoot of ransomware identified as Petya last year is now spreading across Europe, and it is far more dangerous than WannaCry because it avoids many of the mistakes that were made by the WannaCry hackers.
The new iteration of Petya is being called “NotPetya” or “GoldenEye” by many, and it has already hit over 2,000 targets, including some high-profile ones such as US pharma giant Merck and the Danish shipping company Maersk, among others.
The rapid proliferation of NotPetya, in many ways, is because of the EternalBlue exploit that was used for WannaCry. But the implementation is different this time – a lot more fool-proof than the malware that hit global systems two months ago.
The biggest flaw of WannaCry that NotPetya avoids is the “kill switch” that allowed the WannaCry attacks to be greatly reduced in speed and intensity. According to BitDefender security researcher Bogdan Botezatu:
“The quality of the code improves from iteration to iteration—this GoldenEye ransomware is pretty solid. We don’t get to catch a break.”
Like WannaCry, NotPetya uses the EternalBlue flaw to get into Windows systems that have yet to be patched with the updates that Microsoft pushed even before the WannaCry attacks started. However, unlike WannaCry, NotPetya also uses other methods to infiltrate systems. One of these methods is by using an update to Ukrainian software program MeDoc. Reports are also coming in of Microsoft Word documents with malicious macros being used to effect the spread of the ransomware.
EternalRomance, yet another exploit leaked by Shadow Brokers and developed by the NSA, is also being used to gain access to and compromise unprotected systems. Microsoft issued a patch for EternalRomance back in March, but these updates haven’t been applied, opening up these systems to a further chance of being attacked by the NotPetya hackers.
Fabian Wosar, a security researcher at the defense firm Emsisoft, says:
“If a system with enough administrative privileges is compromised, it will simply instruct all other PCs it has access to to run the malware as well. That is why a lot of system administrators are freaking out right now.”
NotPetya, or GoldenEye, does have its own flaws, but they relate to payment rather than any ability to stop the attacks themselves. Victims are required to send a manual email confirmation of payment before they can get their decryption keys. The problem is, the email address they’ve provided has been blocked by the provider, Posteo.
The biggest problem with GoldenEye is that it has multiple modes of delivery, and that means a single security patch is insufficient to address the threat. It looks like GoldenEye aka NotPetya is here to stay – at least until a more holistic solution is found to address the issue.
However, whatever patches are available for these attacks should and must be deployed, say security researchers. According to a report in Wired:
“Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.
Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\from running. Administrators can also shore up their defenses by using Microsoft’s Local Administrator Password Solution to protect credentials that grant network privileges.”
The worst part is that a lot of companies ignored the EternalBlue patch pushed by Microsoft, which means there could be thousands upon thousands of machines still vulnerable to this new ransomware. Patching is not the only answer, but it is a critical part of fighting the attacks and blocking some major delivery methods.
UPDATE: According to the latest report, Cybereason security researcher Amit Serper has found a way to “vaccinate” machines against the GoldenEye ransomware:
“While analyzing the ransomware’s inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.
This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.”
We’ll keep you abreast of developments as the GoldenEye fiasco rolls out around the globe, and other remediation measures are announced.
Additional Source: CNET