What has happened?
On Tuesday June 27th a large scale ransomware attack dubbed ‘NotPetya’ spread through organisations across the globe. While the attack appears to specifically target Ukraine, a number of other western organisations have fallen victim including Russian oil giant Rosneft, British advertising firm WPP and US law firm DLA Piper.
Why has it happened?
Windows computer systems that are not up to date are vulnerable to exploits identified by hackers.
Attackers have modified the recently leaked NSA exploits ‘EternalBlue’ (previously used by WannaCry) and ‘EternalRomance’, both of which target the vulnerable SMBv1 service on unpatched Windows computer systems.
What do I need to do?
If ALL your Windows systems are up to date, you should be protected. Although it is worth noting that while updating Windows will prevent the initial infection, once infected it will attempt to spread to other computers using any recovered network credentials. For this reason it is important to ensure every computer on your network is patched, and any Anti-Virus software is up to date.
If you’re concerned you may have been infected, A vaccine, not a killswitch, has been discovered to stop the encryption process in its tracks. However, the computer will still be a ‘carrier’, and attempt to spread through the network.
Our advice is to NOT pay the ransom. Posteo, the email provider hosting the attackers inbox, has shut down the email address specified by the malware. Unfortunately this means if you have been affected by NotPetya, you will not be able to access your files unless the decryption key is recovered.
In addition, as normal, please avoid clicking on links or opening attachments from unknown and untrusted sources.
Further advice from Securious about ransomware can found here.