‘NotPetya is schadelijker dan WannaCry’

Steeds meer informatie wordt beschikbaar over de wereldwijde ransomware-aanval NotPetya. Beveiligingsspecialisten van CyberArk Labs hebben ontdekt dat de verspreiding hoofdzakelijk plaatsvindt via computers waarvan het toetsenbord niet een US English indeling heeft. Ook is inmiddels duidelijk dat het inderdaad om een nieuwe vorm gaat, en niet de reeds bekende Petya-malware, vandaar de naam NotPetya, en dat de ransomware inmiddels schadelijker is dan de recente Wannacry-aanval.

Kobi Ben Naim, Senior Director of Cyber Research van CyberArk Labs, zet in de onderstaande Engelstalige statement de bevindingen van CyberArk Labs over NotPetya uiteen:

“NotPetya malware is behind what is quickly emerging as another devastating global ransomware incident, one with the potential to be even more damaging than WannaCry. Initially thought to be a strain of the powerful Petya ransomware, NotPetya is spreading using the incredibly efficient infection method used by WannaCry - a worm that quickly spreads the ransomware using the “eternalblue” SMB vulnerability in Microsoft systems. The combination is potent and has the potential to inflict massive damage on scales we have not witnessed before.

Based on initial analysis by CyberArk Labs, what we know now is that NotPetya is different from WannaCry in that it appears to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks. Like WannaCry, any individual and organization with an unpatched Microsoft system remains vulnerable to the worm. However, the organization would only be protected from the attack method. Our research shows that NotPetya requires administrative rights to execute. So if a user clicks on a phishing link, the ransomware will still infect the network. Like Petya, this new malware is considered especially dangerous because it encrypts the Master Boot Record (MBR), instead of documents and applications, and prevents a user from rebooting. In addition to patching, organizations need to be focused on protecting privileged credentials at the endpoint to avoid them being utilized to execute this attack.

CyberArk Labs is continuing to analyze this malware and will share future updates as they become available."