This could have been prevented with timely updates
This morning a new exploit wreaked havoc across six continents. This seems to be a variation of the Petya virus ransomware that first appeared over a year ago. However, this more dangerous version takes advantage of the same Windows vulnerability used by WannaCry, and although it looks like ransomware, it actually isn’t. Microsoft released a patch for the EternalBlue vulnerability in March, yet most companies delayed applying it, and many paid the price when WannaCry hit in May. With as much publicity as WannaCry generated, you would think that everyone who could would apply the patch and the whole world would be safe – but that is clearly not what happened. notPetya continues to propagate and infect companies around the world that have delayed applying the patch, and the cycle continues.
The EternalBlue Windows vulnerability was first exploited by some hacking tools developed by the NSA. Microsoft responded quickly and released a patch in March that would render any EternalBlue attacks harmless. However, the broad impact of WannaCry proved that these patches are not typically applied very quickly after release. WannaCry should have been a huge wakeup call about the importance of the timely application of security patches, but clearly the warning was not sufficient, as notPetya seems to be spreading faster than WannaCry, and may yet infect even more Windows computers.
What is notPetya?
This infection locks the computer and displays a ransom note very similar to the one displayed by Petya, inspiring people to assume it is the same thing. However, there are differences. This exploit takes advantage of a flaw in Microsoft’s Server Message Block (SMB) service to propagate and infect many computers in a very short amount of time. It still encrypts the disk and presents a ransom note that prevents the user from accessing the system, but the developers of notPetya were inspired by WannaCry and chose to use the same EternalBlue vulnerability uncovered by the NSA for the hack.
It looks like ransomware because it presents a screen telling the user that the files are encrypted and they must pay to regain access. In fact, many people have apparently paid the ransom. Yet, there has been no evidence that anyone has received a key to unencrypt their files. Typical ransomware would present a unique set of information (like the Bitcoin address) for each victim, ensuring that each user must pay and decryption keys could not be shared. But the fact that the messages are all identical seems to indicate that the intention of this exploit is purely destructive, yet still hoping to collect ransoms along the way, even with no intention of ever releasing files.
Well, there seems to be no evidence yet that any of the infected computers will be able to be recovered. When you reimage the infected computers, and also for all of the computers that were not affected, please be sure to apply all of the latest security patches. Microsoft was even considerate enough to create a patch for Windows XP and Server 2003, which they no longer support. The only computers that will have a problem with this are those running illegal copies of Windows, which are not able to be patched.
What can we learn from this?
WannaCry and notPetya are exploits that target Microsoft Windows, so our audience, who is more focused on mobile operating systems may be thinking that this doesn’t apply to them. That is very far from the truth. While these particular exploits cannot touch your iOS and Android mobile devices, they are no strangers to ransomware, and you can bet there will be similar exploits that target mobile.
We at Skycure continue to recommend updating devices to the latest version of the operating system as one of the most effective things you can do to reduce the risk of mobile devices. This reduces the window of vulnerability when attackers can successfully infiltrate your devices. Skycure has a unique feature we call OS Upgradability specifically designed to help with this. iOS users will typically know about a new update from Skycure several hours to several days before the notice from Apple arrives. The advantage on Android is far more dramatic because of the severe fragmentation of Android across the many different hardware and carrier variations that can delay user updates for up to six months or more. Skycure will notify you as soon as an update is available for each specific device variation.
Top recommendation for all devices: Always update your OS as soon as possible.
Top recommendation for mobile devices: Get Skycure.