Petya or NotPetya, that isn't the question.

A slightly new strain of malware, dubbed “Petya”, has been making its rounds on the internet recently and it has even hit close to home here in Pittsburgh. Some researchers have named it Petya as they believe it resembled a previous ransomware strain. Other firms, such as Kaspersky Lab beg to differ and have cleverly named the malware “NotPetya”.

Regardless of the name, this malware is exploiting the same Windows vulnerability that the prolific WannaCry malware strain used. One of the major differences of this new strain of malware is that it appears to be more destructive in nature, which is different than the extortionist nature of the WannaCry strain. The reason why it appears to be more destructive (intentionally or not) is the fact that the payment mechanisms (to retrieve the de-encryption key) have not been carefully organized; this leads security researchers to believe that the purveyor of this malware was either inexperienced or had destruction in mind rather than payment. In fact, as of this writing, the single email address that is displayed by the ransomware and was used to communicate with the hackers to transfer ransom for the decryption key, has been shut down by the provider. This means that there is no longer any way for people to contact the attacker for a decryption key to unlock their computer.

The flaw that this ransomware is exploiting is an issue with Version 1 of Microsoft’s File Sharing service, SMB (Server Message Block). The fix is outlined here. If you have systems using SMBv1, you also may have deeper issues within your network, as this is a vastly outdated protocol. This patch was released in March, well before both of these attacks occurred, which highlights the need for effective patch management processes.

This is what an infected machine looks like:

For more information on ransomware and tips to prevent and recover, see a previous article that we published here. To speak to someone about the Petya Virus, contact us. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Impersonation Attacks Targeting Microsoft Teams
ProLock Ransomware Attacks Overview and Mitigation Strategies
Data and Technology Research Project Spotlight
How Risk Management and Internal Audit Can Add Value in Light of the Current Pandemic: COVID-19 Risk Considerations
Introducing the Schneider Downs Cybersecurity Newsletter
Ohio Unemployment Fraud Reporting Site under Attack

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102