NotPetya Ransomware
NotPetya Ransomware: Source Kaspersky Lab

“NotPetya” ransomware hit organizations in the government, banks, and electricity grids across Ukraine, a country bordered by Russia to the east and northeast. The hackers were using Posteo email service. The email provider swung into action by yesterday afternoon and blocked the Posteo mailbox used by the hackers.

Note: Information contained in the news article should be considered preliminary. This is a developing story that might be updated later. 

Apart from Ukraine, companies in France, Denmark and Pittsburgh, Pennsylvania were also attacked, reported The Guardian. The Guardian named it as ‘Petya’ ransomware, though Kaspersky Lab said it traced the latest infections to a new ransomware.

The hackers demanded Bitcoin ransomware worth $300 for infected users to get their data decrypted.

NotPetya Ransomware Bitcoin Transactions
NotPetya Ransomware Bitcoin Transactions

However, a major problem might be that the email service provider had already suspended the mailbox of hackers and people paying the ransom may not be able to contact hackers to unlock their data.

Other companies affected by the attack were advertising giant WPP, French company Saint-Gobain and Russian steel and oil firms Evraz and Rosneft. It is reported that all Windows servers, PCs and laptops were affected by the malware.

Kaspersky Lab, a Russian cybersecurity company revealed that organizations in Ukraine and Russia were the hardest hit by the latest variant of ransomware.

Who Was Behind The Attack?

MetDoc, a Ukranian Fin-tech company is reported to be the primary source of the NotPetya ransomware. Hackers breached MetDoc’s computer systems and compromised a software update that the company pushed out to its customers on 22 June.

This time around, the hackers went a step ahead as they’ve “asked the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net”, thus confirming the transactions“, wrote Kaspersky Lab.

How Does It Work?

The cyber security giant explains that the attack was mounted using custom tools, a la Mimikatz.

  • Ransomware extracts credentials from the lsass.exe process
  • Credentials passed to PsExec tools or WMIC for distribution inside a network
  • Malware waits for 10-60 minutes after the infection to reboot the system
  • Ransomware starts to encrypt MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note

To understand the working of the ransomware in detail, readers may hop on to Securelist and Cisco’s Talos Intelligence Group blog. The latter calls it the ‘Nyetya‘ ransomware. Talos Intelligence gave its own version of the inner workings of the ransomware.

Consequences

At the time of writing the news, the hackers have “accrued 24 transactions totaling 2.54 BTC or just under $6,000 USD“.

The current ransomware attack is more sophisticated in nature compared to the previous one called the ‘WannaCry’. The hackers were able to improvise the payment process, though the email service provider shutting the mailbox of hackers might restrict people from obtaining the decryption keys.

How To Protect Your Files from Ransomware Encryption?

  • The first thing is to use a comprehensive antivirus software
  • Update Microsoft Windows and all third party software
  • Avoid opening unwanted email attachments and files
  • Backup your sensitive data to prevent file loss due to ransomware

SHARE

LEAVE A REPLY

Please enter your comment!
Please enter your name here