Skip to content

June 29, 2017 | Paul Mazzucco

Immediate Actions to Take in Response to NotPetya Malware

Another ransomware attack has made the news. This one was originally dubbed Petya because of its resemblance to a ransomware discovered in 2016. (And now formally NotPetya because of its differences.) As we did earlier this year when companies across the globe were hit with WannaCry, we’ll share what we know so far and the immediate actions you should take.

Please Note: Petya was first reported on Tuesday, June 27, 2017, so some of this information may change as new information becomes available. It’s unlikely that our guidance will change substantially, but if it does, we will update this post.

What we know so far

This attack looks to be significantly different than the WannaCry attack in a very important way. Unlike the WannaCry virus, which was designed to spread rapidly throughout the Internet, NotPetya is more focused on internal networks. Thankfully, this makes your chances of getting infected more remote so long as you aren’t on the same network as the (still-undetermined) initial source or vector.

The distribution model of this ransomware is based on the EternalBlue (MS17-010) exploit released into the Darkweb from the NSA tool hacks from April, 2017. In addition to exploiting MS17-010, NotPetya can also exploit known Microsoft administration tools such as PsExec and WMIC.

NotPetya also seemed to originally be focused on companies in the Ukraine and Russia, leading some to believe it may be a politically motivated attack. However, that does not mean your chances of being affected are nil if you’re not in the targeted region. So far, several companies and institutions in other European countries have been infected, and at least one company in the US, Merck Pharmaceuticals, has said they were affected. How they were affected is still not known.

Like WannaCry, Petya exploits a vulnerability in many versions of the Microsoft Windows operating system. To their credit, Microsoft quickly released a patch back in March when this vulnerability was discovered and even offered it for older, unsupported versions of Windows.

Actions to take

In the unlikely event you are infected, the first thing that happens is that your system will try to reboot. You can interrupt that process and prevent further spread of the malware throughout your network by shutting off your machine and disconnecting it from the network. At this point, there is no way to cleanse your system, so you will need to reformat your hard drive and reinstall your files from a backup. It’s events like this that demonstrate why backups, even though they can seem antiquated to those of you who have sophisticated failover processes in place, should be part of a complete disaster recovery plan.

Related post: A Business Continuity & Disaster Recovery Plan for Any Disruption

Also, if you are infected, don’t bother trying to pay the ransom even though they’re only asking for $300. The ransom request was so unsophisticated that it was easily shut down so you couldn’t even pay the ransom if you tried. This lack of sophistication is another reason why authorities think money was not the primary motivation the way it has been with other ransomware attacks.

To help prevent infection, there are four actions you should take immediately.

#1 Apply patches to your OS. The best advice is always to make sure your systems are up-to-date, including any OS patches released by the developer. It probably goes without saying that you might not want to rely on your employees to do this themselves. In the era of ransomware, patch management is best handled centrally.

OS Patching is really one of the easiest to perform methods of protecting your compute systems. Hackers are usually not in the business of developing zero day exploits and instead, rely on older known vulnerabilities that remain unpatched in many corporate ecosystems.

#2 Consider upgrading to a newer version of Windows. Although the March patch from Microsoft addressed the known vulnerability in Windows versions all the way back to Windows XP, newer versions of Windows have more advanced security features that can help you protect yourself from this and future attacks. For example, Windows 10 offers a feature called Windows Device Health Attestation that can help prevent untrustworthy devices from gaining access to corporate resources. That’s a very useful capability for organizations with a lot of mobile devices connecting to their systems, especially if they allow employees to use their own devices.

If you have doubts about your ability to manage updates and patches in-house, TierPoint offers an Operating System and Application Management Service that may help you sleep better at night.

#3 Layer on the protection. Updating your security applications is as important as updating your operating system. While Microsoft responds to exposed vulnerabilities in their applications (even proactively searching out potential vulnerabilities), security vendors update their applications to help thwart the latest attacks. Ensuring both are updated provides a double layer of protection. We offer our clients a variety of security services such as threat management, DDoS mitigation, and firewalls that can provide even more protection. This is especially vital for those organizations that need to be concerned about compliance as well as security.

#4 Refresh security policies and training. By now, you’d think everyone would know that they shouldn’t open attachments or click on a link from unknown sources. But, in the chaos of the average workday, it still happens. Verizon reported in 2016 that 30% of phishing emails get opened. To help your employees develop the proper situational awareness, you need to remind them of proper procedures from time to time.

A lot of industry pundits called the WannaCry virus a wake-up call for global businesses. If that’s the case, NotPetya might be the equivalent of the snooze alarm. Thankfully, NotPetya doesn’t appear to be as widespread as WannaCry, but you don’t want to be caught napping when the next attack hits.

Paul Mazzucco, Chief Security Officer, is responsible for all TierPoint corporate security standards regarding physical, information, and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards. Paul joined TierPoint through its 2014 acquisition of Xand, where he served in a similar role. 

Subscribe to the TierPoint blog

We’ll send you a link to new blog posts whenever we publish, usually once a week.