There have been news articles upon news articles about recent ransomware attacks, using malware that encrypts the users data and asks for Bitcoin in exchange for your files back. For the most part, there hasn’t been a lot of variation in the function of the ransomware that has hit headlines. Except for one piece of malware: NotPetya.
NotPetya differentiates itself from the rest of the ransomware crowd by being…not Petya. Or ransomware at all for that matter. Unlike ransomware, including it’s namesake, Petya, NotPetya completely overwrites files, making recovery completely impossible. That doesn’t stop the malware from demanding payment, however unlike with typical ransomware operations there is absolutely no hope of recovering your data, payment or not. Research performed by Matthieu Suiche suggests that the code related to the ransom notes, including the generation of ID numbers, is merely to provide the illusion of the possibility of recovery, should Bitcoins be paid out.
The existence of such wiper malware can perhaps be seen as an inevitability; If malware can encrypt your drives, there is nothing to stop the data from being stolen or being wiped completely. There were many similar outbreaks in the late 90’s, when ransomware and particularly wiper malware similar to NotPetya were widespread issues in the IT industry.
The continued existence and proliferation of such attacks should be seen as a precautionary tale for system administrators. Updates being applied, sensible Software Restriction Policies put in place and regular backups being performed and tested will go a long way to protecting your company from ransomware and wiper malware attacks.
- Ensure employees are aware of Ransomware and its dangers, through regular training & Phishing campaigns.
- Train employees to question the validity of emails and to not open suspicious unexpected attachments.
- Disable Macro scripts within Microsoft Office.
- Manage the distribution of privileged accounts. Only use administrative accounts when absolutely necessary.
- Have a robust and frequent data Backup strategy in place. Ensure backup data isn’t attached to the network. Always keep a backup offsite and offline.
- Rename sensitive file extensions to something unique [.doc to .file] This will prevent ransomware from encrypting the document.