What is NotPetya?

We take a look at the malware that first came to prominence in 2016 and targets Windows-based machines

Graphic showing the NotPetya logo on a laptop

NotPetya is among the most fascinating malware incidents of recent history and came shortly after the infamous WannaCry ransomware outbreak.

Part of the reason why it’s so interesting is due to the way that it spread so rapidly between devices and networks, as well as the far-reaching impact that it had.

This name might cause some confusion, particularly for those aware of the Petya ransomware incident of 2016, which was named after a weapons system in the James Bond classic, GoldenEye.

Petya was a fairly run of the mill ransomware strain that encrypted Windows machines, with hackers demanding payment in Bitcoin for the return of data they'd seized. It was fairly unremarkable, beyond being the first strain to encrypt a victim’s master file table, as opposed to just the files on the drive. Then, however, Petya evolved, with a more powerful strain emerging the following year.

Known as NotPetya, this strain was far more noteworthy due to a few major tweaks that its creators had made. The use of EternalBlue, a Windows Server Message Block (SMB) exploit, in the attack method was among the most alarming features. This is the same exploit that allowed WannaCry to spread so rapidly, but it was combined at the time with password-harvesting tools based on Mimikatz to allow NotPetya to propagate between devices in a wormable fashion - spreading across businesses and corporate networks.

Detections were reported in several major countries including the UK, France, Italy, Germany, Poland, Russia and the US. This updated form of Petya was at its peak in Ukraine, however, with 80% of infections estimated to have occurred there.

Petya vs NotPetya: Other key differences

The other major difference between this ransomware and the earlier instances of Petya was that the initial Petya variants allowed the victim's machines to be decrypted after payment was made. NotPetya did not.

Despite being made to look like a traditional ransomware programme, it turned out that NotPetya had been specifically modified to make it technically impossible to recover the victim's files after the payload had been executed. The malware's splash screen included instructions on how to send a $300 bitcoin payment to a specific address, and an email address to contact the malware's authors, but there were clues (such as a hardcoded rather than dynamically-generated bitcoin wallet address) that the goal was not financial gain.

This made it a wiper' - malware designed purely to indiscriminately cripple or destroy its victims - rather than ransomware. But if the attackers weren't out to make money, then what was their real goal - and why make it look like 'genuine' ransomware? To answer this, we have to look at NotPetya's initial targets and the method in which they were infected.

Where did NotPetya originally come from?

As with any cyber attack, one should bear in mind that attribution is rarely a matter of certainty, and there is always the chance that clues that indicate a certain individual, group or government is responsible may in fact be false flags to disguise the true perpetrator. With that in mind, there is a substantial body of evidence to indicate that NotPetya was actually a politically-motivated cyber weapon deployed by Russia against Ukraine.

The first clue is the initial method that NotPetya used to infect its victims, which is believed to be a compromised piece of Ukrainian tax software called M.E.Doc. This software is extremely widespread throughout Ukrainian businesses, and investigators found that a backdoor in its update system had been present for at least six weeks before NotPetya's outbreak. Later analysis found that the M.E.Doc servers' software had not been updated since 2013, although M.E.Doc's developers claim that they were also victims of the hackers, rather than bearing full culpability.

At the time of the outbreak, Russia was still in the throes of conflict with the Ukrainian state, have annexed the Crimean peninsula less than two years prior. The attack was timed to coincide with Constitution Day, a Ukrainian public holiday commemorating the signing of the post-Soviet Ukrainian constitution. As well as its political significance, the timing also ensured that businesses and authorities would be caught off guard and unable to respond.

The attack also bears significant similarities to earlier attacks on Ukrainian infrastructure such as the BlackEnergy attacks in 2015, as McAfee lead scientist and principal engineer Christiaan Beek told Wired that the malware targeted "energy companies, the power grid, bus stations, gas stations, the airport, and banks", with shipping giant Maersk, food conglomerate Mondelez, and the National Bank of Ukraine among the victims.

The aim, many security professionals suspect, was to wreak as much havoc on Ukraine's economy and infrastructure as possible, while making it look like ransomware in order to capitalise on the residual fervour around WannaCry and throw investigators off the scent. The US, UK, Australian and Ukrainian governments have all accused Russia of orchestrating the attack, although Russia has strenuously denied its involvement.

It's interesting to note that the original Petya malware was named after a fictional Russian cyber weapon, which was intended to be used in retaliation for crimes committed against the Russian people. This may, however, be a coincidence.

What can we learn from NotPetya?

The spread of NotPetya was based in large part on the EternalBlue vulnerability, which has long since been patched. The faulty M.E.Doc software suspected of acting as an infection vector has also been dealt with, and NotPetya is no longer judged to be an active threat. However, it can still teach us some valuable lessons.

Beyond the usual best practice of making sure to apply software updates in a timely manner, the main takeaway from NotPetya is that, when it comes to cyber security, things are rarely as they first seem. Victims should never pay the ransom - as well as encouraging the criminals responsible, it is often no guarantee that you will get your data back anyway.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Hackers used SonicWall zero-day flaw to plant ransomware
ransomware

Hackers used SonicWall zero-day flaw to plant ransomware

30 Apr 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

20 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021