A new strain of ransomware is currently hitting computers across the world. Like the recent WannaCry attack, this one, called NotPetya, uses an NSA exploit leaked earlier this year.
The highest rate of infection appears to be in Ukraine, where multiple government systems have been locked down. Ransomware is not confined be geographic borders, though. This new malware is already popping up in other European countries, as well as in the US.
You can tell NotPetya from other forms of ransomware from the stripped down notice on the screen; it’s a plain black background with red text. Some ransomware tries to look like part of Windows, and others include fancy add-ons like a timer or links to resources about Bitcoin. NotPetya is straight to the point—pay up or never see your files again.
In the early hours of the attack, Kaspersky reported the new ransomware was just a modified version of the previously known Petya software. However, it later revised that assessment, saying this is a completely new piece of malware, which it has dubbed “NotPetya.” The rate of infections is similar to WannaCry last month, and it even uses the same “EternalBlue” Windows vulnerability from the NSA leak.
The list of agencies and organizations hit so far is extensive. In Ukraine, the central bank, a state telecom, municipal metro, and Kiev’s Boryspil Airport have all been infected. Even the Chernobyl nuclear site has been hit, leading operators to switch over to manual radiation monitoring. Russian state oil company Rosneft is experiencing problems with NotPetya as well. In the US, pharmaceutical company Merck, law firm DLA Piper, and a number of hospitals have been infected. Some smaller systems have also been shut down by NotPetya, including ATMs and retail outlets. There’s a supermarket in Ukraine where all the point-of-sale terminals have been infected, which is crazy to see.
Like all ransomware, NotPetya encrypts important files when it lands on a new machine. It then displays a notice to users that a Bitcoin ransom must be paid in order to get the decryption key. In the case of NotPetya, victims are instructed to send $300 worth of Bitcoins to a blockchain address, then send their Bitcoin wallet ID and unique encryption code to an @posteo email (since disabled). If you believe the scammers, the decryption key will then be sent to unlock the computer. Without the email address, paying the ransom is completely useless in this case.
Microsoft issued a patch for EternalBlue in the wake of the WannaCry attack, going all the way back to XP. So, any Windows PC should be immune to NotPetya now. The rate at which NotPetya is spreading is yet another reminder that people don’t install their updates. You almost can’t blame Microsoft for making updates mandatory in Windows 10.