New ransomware attack hits Europe

[Ian]

Airlines, powerstations, banks and other businesses have been hit by a new wave of "Ransomware" attacks. Affected PCs will find that the operating system has been encrypted, with demands for a payment to unlock the system. Windows XP - Windows 10 PCs could be vulnerable, so be sure you have installed all current Windows updates and have anti-virus software installed.

This "Petya" cyber-attack has even caused problems at the infamous Chernobyl power station, meaning that radiation levels are now manually performed.

As usual, take care when opening e-mail attachments or other unfamiliar files. The best defence is by having a fully patched operating system with AV software installed (even if it's Windows Defender).

 

[Ian]

If looks like you'll get an image like this upon booting if you have been infected:

Turning your system off at this stage will prevent the encryption from completing, meaning that you can restore the data manually.

Thanks to https://twitter.com/hackerfantastic for the image.

 

[Abarbarian]

Make sure SMB is OFF. Simple instructions at Turn Off SMB1 on Windows Now.

You may also want to run the ESET EternalBlue Checker, available here: ESET Stops WannaCryptor, WannaCry and EternalBlue. Use our free tool to make sure Windows vulnerabilities are patched—ESET Knowledgebase

http://forums.scotsnewsletter.com/index.php?showtopic=94966#entry451696

 

[Captain Jack Sparrow]

Of course, you should already be patched against the exploits which the ransomware spreads with; NotPetya uses the same NSA exploits that WannaCry used last month to cause worldwide chaos.

However, it's still possible to receive NotPetya by email, malware dropper or malicious drive-by download. Therefore, it pays to take preventative measures:

In the Windows directory (usually C:\Windows\), create the following read only files:

perfc
perfc.dat
perfc.dll​

Source (external link, BleepingComputer)

If the presence of these files annoys you, set these files to hidden.
These files are allegedly how the ransomware's poorly implemented anti-re-infection mechanism works, so by simply creating these read only files, a potential infection of NotPetya will stop before delivering its payload (at least with the current strain of the ransomware).

There are now unconfirmed reports that a new variant of the ransomware places these files in %ProgramData%. This seems like a quick and dirty workaround to continue targeting those who have discovered the information above. So I'd also recommend doing the same in this location too.

Last night, I used a Group Policy Preferences item to automatically deploy these files to all computers, but if you're not as lucky as me, you can always use a script or batch file.

- Capt. Jack Sparrow.