Security Bulletin: NotPetya Ransomware Attack

UPDATED 6/28/2017 14:20 MDT

Organizations across the globe -including some in the U.S.- have been struck by the NotPetya ransomware malware.

NotPetya initially attacks via a phishing email, exploiting the same vulnerabilities found in un-patched operating systems as the WannaCry attack last May. However, NotPetya also gains administrator access to the network using one of two Microsoft administration tools and uses this access to infect other computers on the network. This method allows NotPetya to infect even patched computers on the immediate network.

The first steps in an effective defense require human and technical strategies:
1. Make sure all operating systems have the latest manufacturers updates and patches.
2. Provide training so employees recognize the signs of phishing and spearphishing emails.

In addition, some security researchers are recommending blocking outside access to ports 137, 138, 139 and 445 and disabling SMBv1. At a higher level, organizations should employ granular governance policies to ensure administrator credentials have specific access to specific computers and systems as opposed to carte blanche access to network devices and systems.

What to do if you are infected.

NotPetya is difficult to clean because it uses admin credentials to spread. If you have a backup of your computer, you should take the computer off the network and restore the computer using a backup from before the infection date and time. Using another computer, you should download the patch from Microsoft (found here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) and install the patch on your newly restored computer. The computer should now be free of the infection.

If you do not have a current backup, there is no easy solution. Security teams have shut down the payment mechanism in NotPetya, so you are unlikely to receive the decryption key even if you do pay the ransom. The only viable option is to format your hard drive and install a fresh copy of the operating system. This will result in the loss of any data on the infected computer. Make sure the new operating system has all current patches installed and your admin credentials have not been exploited before accessing a network or the internet.

If you think you may have a NotPetya infection, please call us immediately at 303.757.0779.

For help developing a cybersecurity program and conducting a security audit, contact us at 303.757.0779.