File Encryption, MFT Encryption & Credential Theft
On June 27, 2017 at approximately 10:30 UTC, a new ransomware family began propagating across multiple countries. The family, referred to as NotPetya, is noteworthy because it combines traditional ransomware behavior with stealthy propagation techniques and a destructive attack element. CrowdStrike Falcon® Endpoint Protection customers are protected against all currently identified variants of the threat.
In addition to encrypting files on infected systems, NotPetya moves laterally to encrypt other systems in the organization by leveraging the same EternalBlue vulnerability that was popularized by WannaCry last month. It then uses another propagation technique that starts by stealing credentials, then uses those legitimate credentials to infect other systems on the network via built-in Microsoft tools (WMI and PSEXEC). Finally, NotPetya employs a destructive technique that prevents infected systems from booting by encrypting the master boot record (MBR).
Attacks have been reported in countries including Ukraine, Russia, Poland, France, Germany, Spain, the United Kingdom, the Netherlands, India, Israel, Australia and the United States. Sectors impacted by this attack include government, energy, finance, defense, telecom, media, maritime, aviation, and transportation.
For continued coverage of the NotPetya attack, please read our coverage below.
This page is your source for all the latest news and expert analysis concerning recent NotPetya attacks related to data breaches, malware and ransomware facing businesses worldwide. Here, you’ll be able to stay up to date on all of the news, updates, analysis potential concerns and potential steps you can take to protect your business from them.