Ukraine, Spain, Netherlands, Germany, and the United States have all reported attacks from a new ransomware named “NotPetya” by Kaspersky Labs.
Whats Going On?
Throughout the day, reports have come in from around the word of a global ransomware attack dubbed NotPetya. Russian multinational cybersecurity firm Kaspersky Labs said initial data shows 2,000 attacked users so far.
Kaspersky Labs confirmed that a modified version of the NSA-leaked tool EternalBlue is responsible for the spreading over internal networks. The EternalBlue exploit was also utilized in the recent WannaCry ransomware outbreak. These attacks come just a month after the WannaCry attacks.
Microsoft has issued patches since the WannaCry attacks. However it seems not everyone has taken the necessary steps to harden their systems. A Kaspersky Labs spokesperson said:
“Our preliminary findings suggest that it is not a variant of Petya ransomware as publicly reported, but a new ransomware that has not been seen before. That is why we named it Notpetya.”
More Details on the Attack
NotPetya locks the user out of the computer entirely. In the past, we have seen ransomware attacks that just lock down a specific file or folder — however NotPetya locks you out of your computer by taking over the entire file system and forcing a reboot.
On booting your PC, the only screen you will see is a message prompting you that your file system has been encrypted and the only hope of getting back your computer is to pay $300 in bitcoin.
There is a Bitcoin address to make that payment, and an email address which a user can also use to make the payment. The email account has been shut down by the hosting company. At the time of this writing, the bitcoin Address has 3.277 BTC or $7,907.04 USD.
NotPetya Spreads Fast
NotPetya has a unique set of tools that have allowed for rapid replication within a network. EternalBlue allows for the SMB exploitation. Additionally, there are other tools which then capture usernames and credentials for spreading across the internal network.
As the spread happens, the process repeats itself until eventually it finds a computer that has administrative usernames and passwords. If an administrative account is compromised, then all nodes on that network can be much more quickly locked down utilizing the WMI tool.
Do ransomware attacks represent a problem for Bitcoin? Let’s hear your thoughts.
Images via Pixabay