Hey Everyone! Bit of an update with a bit of a prod from
@revin and
@Norton I wanted to do a short write up about the latest in headlining crypto crazes. Today we will go over "NotPetya/Goldeneye" a ransomware variant that was thought to be a revision of petya but unlike its namesake harbors multiple escalation techniques and includes
EternalBlue code which the widely known "
Wannacry" strain used.
For those that want to go into it, Microsoft actually has a decent write up
here.
NotPetya like other forms of new ransomware are have incredibly high infection rates. Not only are these virus' able to damage sensitive or otherwise important data but they also generally carry the ability to infect entire networks of machines and are capable of infecting a host in multiple ways.
This is dangerous because such infections are not easily mitigated by patching "One hole" but instead are defended against using a a layered security approach, such as being fully patched and having security software. however that isn't to say that you are immune even if your system is in tip top shape, these infections are dangerous and can fell even the newest of systems. With more likely to appear as ransomware becomes ever more popular its important to keep these things in mind.
- Make sure your PC is FULLY patched at the least once a month
- Make sure you are using some kind of active protection
- Make sure you and other users in your environment are security aware you dont have to be the weakest link to be hit (remember these infections can span networks)
- Keep separate backups of your important documents. External is best.
With these things in mind and NotPetya on the rise there is hope. Much like
wannacry 1.0s Domain kill switch there is a way to "vaccinate" yourself against NotPetya, Now this doesn't mean the infection cannot spread and doesn't mean that your machine can't be exploited. However
Amit Serper has found a way to stop the ransomware from infecting the host it has managed to exploit. It seems the infection looks for a specific file in C:\Windows and if it is found halts the encryption process. With the secret now in the wild
Lawrence Abrams of bleeping computer was able to piece together Amits technique into a
batch file that can be run to create the necessary files needed to stop NotPetya.
While the files help prevent the infection I must stress it does not prevent the machine from being broken into. That said it should be noted that lateral movement of the infection seems dependent on eternal blue, and exploits to machines that run in domain environments. While end users that are NOT part of a domain don't necessarily need to worry about those methods of exploitation, they do need to make sure they are patched for the same SMB 1.0 bug that eternal blue and double pulsar used.
This an ongoing report, NotPetya is still being analysed and its characteristics understood. Remember there are HUNDREDS of ransomware variants in the wild, not just what catches your eye in the headlines.
Stay safe out there.