How NotPetya attacks

GMV, a leading cybersecurity firm, confirms that yesterday’s attack on banks, companies and institutions in Ukraine plus some Spanish-based multinationals is a new type of ransomware attack designed to spread in corporate networks.

Mariano Benito, CISO of GMV Secure e-Solutions, analyzes the latest ransomware attack and argues that it is more complex even than WannaCry or Petya. It is “much more complex and dangerous than the former WannaCry attack because it is designed to be more damaging and has more fall-back options to wreak this havoc”. Dubbed “NotPetya “it can use the same mechanism as wannacry to worm its way from computer to computer (MS17-010) but if this option fails it can then fall back on the automatic inter-computer connection permissions that some companies have set up”. If this fails too, “it can try mining Windows’s centralized administration systems to jump to more computers”.

Another crucial difference, as Benito points out, is the patience and persistence it shows. NotPetya “first tries to infect other network computers and does this insidiously for between 30 and 60 minutes before the final damage shows”. This means, “it is highly likely that network managers will be unable to respond upon first detecting the infection because by then all computers will have been hit”.

Likewise, “infection is also more complete in NotPetya. Whereas wannacry selected files and scrambled them one by one, NotPetya trashes the computer’s whole hard disc at once”.

How does it infect a company? It doesn’t infect by contagion from other infected firms, “unless they are in the same communication network. Each firm has to be infected independently, normally by means of booby-trapped email attachments” explains GMV’s CISO.

The damage caused by NotPetya “could have been greater because it was certainly designed with that in mind”. Luckily, “the spadework with its forerunner WannaCry attack meant that effective preventive measures could be applied in this new case”.