The Trojan, which spread rapidly on Tuesday, is similar to the "Petya" Trojan that appeared in 2016. However, security researchers classify it as a new Trojan and therefore usually refer to it as "NotPetya". Although the Trojan initially gave the impression of being ransomware like "WannaCry", the aim is clearly not to extort a ransom from those affected. >The attackers are not even able to decrypt the data again</a. The suspicion has therefore now been confirmed that the main aim of "NotPetya" is to paralyze companies and cause as much damage as possible.
Among other things, it spreads via the vulnerability in the SMB protocol that was already used by "WannaCry". However, other distribution channels have been added. After infecting the first system in a network, the Trojan looks for a domain controller as its next target. There it collects a list of systems in the network, which it then specifically infects. In doing so, it also uses admin passwords that it has previously tried to capture on the domain controller.
A mechanism has now been found for the currently observed version of "NotPetya" that can prevent infection. The Trojan checks whether certain files exist and aborts execution if they do. Creating these files as a precautionary measure, at least on the domain controllers and all particularly vulnerable systems, could therefore protect companies from damage. This filecan be used for this purpose.
Of course, a new variant that no longer reacts to the presence of these files can be put into circulation at any time, which is why this should not remain the only measure. In any case, IT managers should also check whether all security updates from Microsoft have been installed on all domain controllers and whether appropriate measures have been taken to harden them.