In May 2017, the world got a wake-up call from the widespread WannaCry or WannaCrypt ransomware attack that infected computers and networks in institutions, businesses, and homes across the globe. Thankfully, the rampant damage of the WannaCrypt malware was cut short by its amateurish development, as it was semi-inadvertently mitigated by a built-in kill switch discovered by MalwareTech. The expert advice at the time was clear:
Patch your systems with MS17-010 (and for Pete’s sake, upgrade beyond Windows XP)Use your antivirus software and keep your virus definitions updatedBe wary of suspicious email attachmentsWatch out—they’ll be back
That last bit of advice came true today. Early Tuesday morning, reports of ransomware attacks in Ukraine began trickling in. Then it spread to the rest of Europe and Russia. It even made its way to a hospital in Pittsburgh, PA in the U.S. We are still learning about this new ransomware attack. In fact, the community hasn’t really even settled on a name for it. People have recognized one aspect of it as a known ransomware called Petya. But this malware seems to pack a one-two punch, if not more. So, some are calling it NotPetya. For now, that’s what I’ll call it, too. All that aside, here are the highlights of what is known (Excerpted from Forbes and MalwareTech):
NotPetya uses a similar exploit as WannaCrypt: the EternalBlue vulnerability that infects computers via SMBv1. But it can also infect computers through WMIC and PSExec. So, if you patched during the WannaCrypt attack, you are only half-protected right now.NotPetya will first attempt to encrypt your MFT on your hard drive. This will prevent your computer from booting altogether. If it fails at that, it’ll just go ahead and boot and then encrypt all your files, and demand payment in BitCoin to unlock it. (The pre-boot encryption is Petya, and the post-boot one is Misha.)The message you’ll see is this: “If you see this text, then your files are no longer accessible because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”NotPetya will also scan your computer for credentials–usernames and passwords–and send them to the hacker’s server.Important. Posteo, the email provider for the email address you’re supposed to contact in order to get your decryption key, has already disabled the account. This means there is no way to get your data back by paying the ransom. Don’t pay it.
From the looks of it, NotPetya is a more professional version of WannaCrypt, without the bugs and kill switch. Security experts are still investigating and responding to attacks.
Action you should take now
Ransomware is dangerous because it encrypts all the files on your hard drive and mapped drives. Want your data back? Pay the ransom to the hacker. A better strategy than hope and wait is the backup today strategy. Here at groovyPost, we suggest a set it and forget cloud backup. Our favorite service is Crashplan however Backblaze is OK also. You see, Crashplan protects you against Ransomware because it will backup all your files each time they change. So if you get infected and all your files are encrypted, no worries, kinda. You will need to wipe your hard drive, re-install your OS, re-install Crashplan then restore your files from the previous day/week etc… prior to the files getting infected. I know, not ideal but, better than losing all your files. Over the coming days, the NotPetya story will no doubt continue to develop. The best advice at this point is to ensure you have a solid backup of all your files and, always practice safe online computing. Do you have any information about NotPetya, WannaCry v2, or whatever they are calling it? Tell us about it in the comments. from: bleepingcomputer: “create a file called perfc in the C:\Windows folder and make it read only” Dropbox and OneDrive are great for Syncing your data between devices but, they are not a backup solution. The problem with malware/ransomware and Sync services is that the file will become encrypted/infected and Dropbox and OneDrive will then sync those files up to the Cloud and then back down to your devices. Sure, both Dropbox and OneDrive keep previous versions of your files however, you have to restore them one-at-a-time. Very time consuming and, not a core competency of those services. That’s why I like Crashplan… Yes I know, many will say “Backup locally to a USB drive”. My issue with locals backs is they don’t protect you against fire, theft and HW failures. Crashplan not only does real-time backups, it also encrypts the data before uploading it to the Crashplan data center. That’s called “encryption at rest”. So, they can’t get access to your data. Hopefully, that answers your question Susi (plus a few other questions…) (Smile) Was also windering about point to point encryption services for existing email addresses. Crashplan should be fine. It does encryption at rest and in transit so you will be good. That said, check with your HIPAA privacy officer. For email, what is it you’re trying to do? O365 may be good enough for your small business as they encrypt in transit and at rest as well. But it seems like there is still a risk of infection if another PC on your network has been infected. For example, if there is an old Windows XP or Windows 7 machine with administrator rights on your network, it could spread that way. Microsoft also recently pushed out updates to Windows Defender Antivirus and Microsoft Security Essentials, so make sure you have these products enabled. Comment Name * Email *
Δ Save my name and email and send me emails as new comments are made to this post.
