The IT world is reeling again as the latest blast of ransomware is sweeping the globe. “Petya” or “NotPetya” (there’s some disagreement) appears to be similar to the “WannaCry” worm we dealt with a couple of months ago but this, it appears, is more aggressive. According to Forbes.com, government-run IT networks in the Ukraine (including radiation monitors at the Chernobyl nuclear power facility) have been rendered inoperable, with other ransomware reports coming in from a variety of industries across Europe. We know of at least one hospital here in the United States (Heritage Valley Health System in Beaver, Pennsylvania) reporting a major cyberattack. “NotPetya” has other ways of spreading in addition to the National Security Agency’s “EternalBlue” toolkit that we all patched against between March and May. Therefore patched systems could still be affected if this worm gets a foothold in an organization.
Here at VertitechIT, we treat every report like this with the utmost urgency, but Gerry Gosselin, our Vice President of Engineering has been monitoring the outbreak since it began and warns about an overreaction. “Little is known about Petya at this point however there’s a lot of reporting showing the worm is primarily affecting Ukraine. This is particularly unusual since the Internet does not follow country borders. This suggests that this worm has a specific target.”
In the event that the worm continues to spread aggressively, our response is no different than any other attack. Be prepared for such malware through those actions we’ve suggested in the past:
- Train users to be wary of email attachments
- Use email security services
- Use virus and malware scanners
- Diligently backup servers and store a copy offsite and off-domain
- Patch, patch, patch, patch frequently and in an automated fashion
- Decommission Windows server 2003
This ransomware asks users to email an address to receive the unlock key but that email address has reportedly been shut down so the ONLY method to recover is from backup. VertitechIT strongly believes that no one should ever pay a ransomware demand as there’s no guarantee you’d ever receive the key. We treat encrypted files as deleted files. The only recovery is from backup.
It’s early yet and research into this ransomware worm is still underway, but we believe the checklist above is the proper response for this and any malware attack yet to come. Our advice is simple.
Patch on a regular schedule but most important of all, instruct all staff to be wary of email attachments. When in doubt, revert to that old 20th century device called the telephone. Call to verify that the attachment is safe to open.
As always, please contact us immediately if your organization falls victim to an attack and know that we are always here to answer any questions you may have.