3aIT Blog


Reports have come flooding in from companies hit by a new strain of ransomware over the past few days. While the attack was concentrated in the Ukraine, it affected machines all over the world, including British advertising agency WPP.

Dubbed "NotPetya", the malware spreads in a similar manner to the "WannaCry" attack that hit the NHS a couple of months ago. Therefore, it was machines setup in a similar manner (largely Windows 7) that have been affected. It was also bolstered by hacking a company that provides accountancy software in such a way that they sent an automatic update to all their users. This update contained the malware, and attempted to infect all the machines that ran it.

However, calling this malware "ransomware" is probably a bit of a misnomer. The sole intent of this attack appears to have been to cause disruption. Typically, once a machine has been hit with ransomware, it encrypts all the files, rendering them inaccessible. Once complete, you are presented with a message demanding payment to regain access to your files (hence "ransomware").

In this case, while the infection itself behaves in exactly this way, and you're ultimately presented with a message along exactly these lines, there actually appears to be little to no effort gone into actually collecting any money that might be generated by this. Indeed, the email address given to let the attackers know that you've paid so they can unlock the files does not work, so paying would be completely pointless, as there's no way you files would ever be unlocked. Additionally, those monitoring the bitcoin account that any payments are sent to have noticed that there has been no attempt to claim this money.

On top of that, once the malware has done its thing, it deletes its own encryption key. This means that even if all the above wasn't true, it would be impossible for even the authors to recover the files.

Therefore, for anyone that has been hit with this infection, all data will be lost forever. Again, this demonstrates the importance of a robust backup strategy. Unless your machine is never connected to the internet and never runs files of unknown origin, it is at risk of attack of this nature.

That being said, it does seem that the additional security of Windows 10 over Windows 7 has protected users of this operating system from this attack. Of course, the irony of advising everyone is running the latest versions of their software when the source of this attack appears to have been via an automatic update is acute. However, this shouldn't discourage users from keeping everything up to date.

Given the obvious effectiveness of these sorts of attacks, don't expect to see an end to them any time soon. The attack on the NHS happened accidentally. Just imagine the sort of disruption that could be caused by a targeted attack on the computers of all essential services within a country. It could well be that the wars of the future are not fought with weapons, but will use attacks like these to bring a country to its knees. This problem is not unsolvable, but requires that companies and individuals don't ignore advice provided by professionals because it's too expensive or too much hassle. The eventual result of the alternative will be far costlier.