The True Nature of NotPetya

We know for sure that you have heard the news of several maritime transporters getting attacked by the newest form of ransomware: NotPetya.

NotPetya was initially released into the wild hiding in an update for a popular financial accounting program in the Ukraine. Companies that used this software were infected. Once the system was infected it used a popular exploit in Windows that allowed it to spread the infection over the network called EternalBlue. This exploit was also used by WannaCryptor, another ransomware that had a major impact last month. WannaCryptor was a warning shot that should have taught companies to take action against this exploit of Windows and update their systems however, due to the impact of NotPetya it is still remarkable that many companies have not performed the necessary updates.

While NotPetya presented itself as a form of ransomware and asked for payment it was actually not taking your files for ransom at all. The virus wiped your hard drive and pretended recovery of your files was possible however this was not the case. The main goal of NotPetya was destruction. Although the original creator of the NotPetya virus is looking into this as well the chances of recovery are very slim.

The technical part:

• The infection of NotPetya works as follows.

• First infiltration via the financial accounting system from Ukraine (ME DOC)

• Infected system with virus, virus uses Windows exploit to execute administrator code.

• Uses EternalBlue exploit to spread over the network.

• Encrypts Windows file tree

• Overwrites Windows boot partition with its own and removes the original.

• Shows user the $300 ransom note, tricking user to think that it was ransomware.

Customers using our Anti-Virus and UTM solutions are safe and protected against this threat although we always ask to open files with caution.