28 Jun 2017

New ransomware campaign known as NotPetya

Updated at 1.30pm

A new ransomware campaign referred to as NotPetya (originally reported as Petya) is affecting Microsoft Windows devices globally. To protect your network, it’s critical to ensure that all devices are patched. CERT NZ also strongly recommend that affected parties do not pay the ransom, our understanding is that files are not being recovered, even in instances where the ransom is paid.

In many ways, this ransomware is behaving similarly to WannaCry — it infects unpatched Windows devices by exploiting a vulnerability in SMB server. A point of difference that this ransomware has from WannaCry is that it’s propagated through a combination of the EternalBlue exploit, harvested credentials and either PsExec, WMI or both. As such, a device that has been patched against EternalBlue can still be compromised by an unpatched, infected device.

There are reports that a 'kill file' can be created that will prevent the ransomware from executing — details can be found below.

CERT NZ strongly recommends that the ransom is not paid under any circumstances. At least one email address used to communicate with the attackers has been taken down, and subsequent email addresses are likely to be taken down as well. This means that you will not be able to recover your files even if you pay the ransom.

Read more about EternalBlue External Link