Petya or Not, Variants are Evolving

This week’s attack, called Petya and NotPetya in the media, is not necessarily a new form of ransomware; however, the way it evolved has experts questioning whether it is different enough from the original to be considered something other than a variant. The original Petya ransomware, discovered in March 2016, used a different method for encryption than most other ransomware. This serves as the base for the current variant. Layered with this is the ability to move through networks by exploiting Eternal Blue, the same vulnerability targeted by WannaCry, or by gaining administrator credentials, among a few other methods. This combination was best explained in an article from SonicWall as “Like mixing cocktails, the ingredients are all well known, but the exact mix can be completely new.”

By making a specific Windows file read-only, you can “vaccinate” your systems from the new strain; however, there is still the possibility that the publishers will modify and start again. Mytech has created an automated method to apply the kill switch to our customer networks. Several of our security vendors also confirmed they protected customers shortly after the outbreak. The combination of techniques used by NotPetya further proves that one layer of security is not enough – even if patching was up to date and it could not exploit Eternal Blue, there were still at least 3 other ways the virus could spread.

As pointed out by another of our vendors, the goal of this virus was most likely to create havoc. While it is ransomware, the only way victims could work with the hacker to get the encryption key was through an email account that was promptly shut down by the provider for misuse of the platform. Even before the email account was shut down, the hackers were only requesting a small ransom and did not receive many payments.

This is just the latest in the creativity cyber criminals are applying to their work, and this is only the start. The same vendor noted that there are many more exploits leaked from the National Security Agency (NSA) that have yet to be released to both black and white hat hacker groups. There will be a continuous race between the “bad guys” evolving what they do and the “good guys” trying to stop them.

Protecting your network against this threat is the same as any other threat:

 

Further Reading

Forbes
USA Today
NPR