NotPetya aka GoldenEye ransomware infection

There's no getting around NotPetya/GoldenEye this week.
About 2000 organisations have been impacted, among which the container shipping company Mearsk, TNT/Fedex and pharma company Merck.

The amount of news on this is slightly overwhelming, so I tried to boil it down:

  • It's made to look like the 2016 malware Petya, and uses a few pieces of its code, but has a lot of differences.
  • The initial infections probably happened through phony updates of a Ukranian tax accounting software called MEDoc.
  • The malware uses the EternalBlue SMB exploit like WannaCry did, but also searches for admin credentials to try and spread laterally through network shares.
  • The ransomware aspect might be more of a ruse, in that the focus seems to be more on causing damage, making it more wiper than ransomware.
  • Once you paid you needed to e-mail a certain account to get your decryption keys. This account was closed by its vendor, Posteo, so even if you want to pay and decrypt you can't.
  • There are suggestions that you wouldn't be able to decrypt your files anyway because of an error in the malware's code. (source)
  • There is a 'vaccine' of sorts where you can prevent infection by creating a read-only file in your Windows drive called 'perfc'. (source)
  • If you want to read more, this article and this article do a pretty good job.
Dieter Van der Stock