WannaCry’s ransomware brother is a wolf in sheep’s clothing

July started off with a different sort of bang as a more sinister and quieter ransomware began infecting systems worldwide. The ransomware is being called NotPetya and it’s using the same exploit, EternalBlue, that WannaCry took advantage of to spread. It moved slower than WannaCry, but that’s not necessarily a good thing.

The ransomware made its debut at the end of June, but only recently has the hacker group behind the attack given any sign of life. A Bitcoin wallet associated with the attack was emptied of its funds, about $10,000, and placed into another account. But if the group is decrypting victims’ files, there hasn’t been any confirmed instances which leads researchers to believe the true goal was to wipe systems and spread havoc.

Hackers’ motivations still muddled

NotPetya first struck in the Ukraine, hitting 12,500 machines running older versions of Microsoft Windows before moving into 64 other countries. Both large and small companies are confirming that they’ve been hit by NotPetya.

Originally named Petya after Kasperksy Lab reported that strain of ransomware in March 2017, it’s since been discovered that this is an entirely new virus strain. Therefore, to avoid confusion with the other ransomware that also hit the Ukraine, it’s been given the very original name NotPetya. Except the ransomware is anything but cute and tongue-in-cheek.

Victims of NotPetya were given a screen that said: “Oops, your important files have been encrypted. If you see this text then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking to recover your files but don’t waste your time.” It also provided a link to an online Bitcoin wallet for victims to deposit funds in the good faith the hackers would decrypt the files.

NotPetya was able to spread by leveraging the EternalBlue exploit among several other vulnerabilities. It’s what cybersecurity researchers have been fearing since WannaCry hit the global scene in May 2017. While WannaCry used the exploits in a straightforward manner, combining two previous NSA exploits that were exposed by hacker group TheShadowBrokers, NotPetya combines the exploit with systems found in nearly every company.

Doesn’t need a back door when front door is wide open

The ransomware originally spread through a digitally forged payload in an automatic updating software system MeDoc, a common program found in Ukraine. MeDoc denied the allegations, but with 60% of NotPetya’s victims originating from the Ukraine, many are confirming their systems were hit with a malicious forced MeDoc update. And that’s the problem.

NotPetya is taking advantage of the fact that many automatic updates in software run with admin privileges. An update can be safely delivered to each computer in your network – if it’s a legit update and not a wolf in sheep’s clothing like NotPetya – and routinely makes outgoing encrypted connections that are allowed to bypass your firewall. In many cases, NotPetya was pushed through without early detection systems kicking in to protect the systems. Which means it was too late to stop it by the time admins realized what was happening.

You may want to make sure your systems have downloaded Microsoft’s security update that patched EternalBlue, but even systems that were previously patched against WannaCry aren’t safe. You may have automated your updates to speed up the process, but it’d be a wise move to double check that you aren’t creating a hole in your security for wolves to slip in through.