As if last month’s major malware attack wasn’t enough, today we’re hearing about large-scale ransomware attack that that is crippling IT systems around the world. While some of the details are a little unclear at this early stage, it’s obvious that this is a massive attack. It may even take advantage of the same weaknesses that allowed Wannacry to spread so quickly last month.
In speaking to the BBC, Professor Alan Woodward from the University of Surrey identifies this new ransomware as a variant of Petya, which first appeared in early 2016. Assuming that’s what this ransomware actually is, then this new threat cripples operating systems by taking over their Master File Table.
Instead of encrypting files individually, ransomware like Peyta attacks the MST directly, leaving the operating system blind when it comes to finding files. Essentially, it delivers the same effect as if it had individually encrypted files, only it’s able to do it much faster by focusing on the MST specifically.
However, in a tweet posted shortly after news of the new ransomware began hitting, Kaspersky shed doubt on the idea that this threat is based on Petya. “Our preliminary findings suggest that it is not a variant of Petya ransomware as publically [sic] reported, but a new ransomware that has not been seen before,” Kaspersky says. “That is why we have named it NotPetya.”
Kaspersky says that it has detected around 2,000 affected users so far. In this attack, Russia and Ukraine have been hit the hardest, though the ransomware has also spread to Poland, Italy, the UK, Germany, France, and the US. Even with this uncertainty surrounding the attack, one this is fairly obvious: whatever ransomware this is, it’s spreading quickly throughout the world.
Those who are affected by the attack are being told not to pay the ransom, as the perpetrators no longer have access to the contact email address they list in the ransom message. As spotted by Twitter user @HBIC2017, the company responsible for hosting the attackers’ email has announced that the account has been locked. Even if you did pay the ransom, then, there presumably isn’t a way for the attackers to receive notifications of such payment.
Kaspersky says that the best way to prevent this new ransomware from spreading to your machines is to make sure your Windows installations are up to date – something that’s outright impossible for organizations still using legacy Windows software. The prevalence of unsupported Windows OSes is partly why WannaCry was able to gain such a foothold, so this new ransomware attack serves to further stress the importance of keeping operating systems up to date.
Beyond updating Windows, ensuring you’ve got back ups of important data on hand and installing some kind of ransomware detection are also critical to prevent being hit hard by this attack. Obviously, since this is still a developing story, we’ll have more news on this soon, so keep it here at SlashGear for more.