A new ransomware attack which appears to have originated in the Ukraine is wreaking havoc with computer networks around the world.
Originally thought to be a strain of the Petya virus, initial reports focused on its similarities to the WannaCry ransomware which infected computers last month.
However, it emerged that while the virus looked like Petya, it was different, with Kaspersky dubbing it “NotPetya”.
Many security researchers are also focusing on the fact that NotPetya uses EternalBlue, a hacking weapon developed by the NSA and leaked online by the Shadow Brokers.
However, this is overshadowing the significant threat the ransomware presents.
EternalBlue is one of many attack vectors
EternalBlue exploits a vulnerability in all versions of Windows which Microsoft patched in March.
Due to how serious the attack was, Microsoft released a patch for versions of Windows it no longer supports.
With the emphasis on the use of EternalBlue in Petya, many commentators suggested that anyone who got infected deserved it.
Simply updating Windows would render EternalBlue useless, and the recent WannaCry attack provided ample warning to IT and network administrators to secure their systems.
However, the way NotPetya spreads is far more dangerous, and how it gets into networks has raised many questions.
The Ukrainian Cyber Police said on Twitter that the original infection was made through an automatic software update feature built into M.E.Doc, accounting software used by companies which work with the Ukrainian government.
According to The Register, this and other evidence suggests that NotPetya could be a government-engineered virus designed to attack the Ukraine – suggesting Russia as a potential culprit.
Of most concern is that Kaspersky reported the ransomware captures administrator credentials to spread on local networks, using custom tools similar to Mimikatz.
“These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network,” said Kaspersky.
Experts advised administrators to ensure their networks are protected by updating all Windows machines, and consider blocking the PsExec from running on computers connected to their network.
They should also disable SMBv1, block outside access to ports 137, 138, 139, and 445, and follow best practices to not allow network administrator privileges to local administrator accounts.
Security researcher at Cybereason, Amit Serper, also found that creating a specific file in the main Windows directory will stop NotPetya from encrypting a machine.
It is recommended that you create the files perfc, perfc.dll, and perfc.dat in C:\Windows and mark them read only to prevent NotPetya from running on a machine.