What is NotPetya?
We take a look at the malware that first came to prominence in 2016 and targets Windows-based machines
Part of the reason why it’s so interesting is due to the way that it spread so rapidly between devices and networks, as well as the far-reaching impact that it had.
This name might cause some confusion, particularly for those aware of the Petya ransomware incident of 2016, which was named after a weapons system in the James Bond classic, GoldenEye.
Petya was a fairly run of the mill ransomware strain that encrypted Windows machines, with hackers demanding payment in Bitcoin for the return of data they'd seized. It was fairly unremarkable, beyond being the first strain to encrypt a victim’s master file table, as opposed to just the files on the drive. Then, however, Petya evolved, with a more powerful strain emerging the following year.
Known as NotPetya, this strain was far more noteworthy due to a few major tweaks that its creators had made. The use of EternalBlue, a Windows Server Message Block (SMB) exploit, in the attack method was among the most alarming features. This is the same exploit that allowed WannaCry to spread so rapidly, but it was combined at the time with password-harvesting tools based on Mimikatz to allow NotPetya to propagate between devices in a wormable fashion - spreading across businesses and corporate networks.
Detections were reported in several major countries including the UK, France, Italy, Germany, Poland, Russia and the US. This updated form of Petya was at its peak in Ukraine, however, with 80% of infections estimated to have occurred there.
Petya vs NotPetya: Other key differences
The other major difference between this ransomware and the earlier instances of Petya was that the initial Petya variants allowed the victim's machines to be decrypted after payment was made. NotPetya did not.
Despite being made to look like a traditional ransomware programme, it turned out that NotPetya had been specifically modified to make it technically impossible to recover the victim's files after the payload had been executed. The malware's splash screen included instructions on how to send a $300 bitcoin payment to a specific address, and an email address to contact the malware's authors, but there were clues (such as a hardcoded rather than dynamically-generated bitcoin wallet address) that the goal was not financial gain.
This made it a wiper' - malware designed purely to indiscriminately cripple or destroy its victims - rather than ransomware. But if the attackers weren't out to make money, then what was their real goal - and why make it look like 'genuine' ransomware? To answer this, we have to look at NotPetya's initial targets and the method in which they were infected.
Where did NotPetya originally come from?
As with any cyber attack, one should bear in mind that attribution is rarely a matter of certainty, and there is always the chance that clues that indicate a certain individual, group or government is responsible may in fact be false flags to disguise the true perpetrator. With that in mind, there is a substantial body of evidence to indicate that NotPetya was actually a politically-motivated cyber weapon deployed by Russia against Ukraine.
The first clue is the initial method that NotPetya used to infect its victims, which is believed to be a compromised piece of Ukrainian tax software called M.E.Doc. This software is extremely widespread throughout Ukrainian businesses, and investigators found that a backdoor in its update system had been present for at least six weeks before NotPetya's outbreak. Later analysis found that the M.E.Doc servers' software had not been updated since 2013, although M.E.Doc's developers claim that they were also victims of the hackers, rather than bearing full culpability.
At the time of the outbreak, Russia was still in the throes of conflict with the Ukrainian state, have annexed the Crimean peninsula less than two years prior. The attack was timed to coincide with Constitution Day, a Ukrainian public holiday commemorating the signing of the post-Soviet Ukrainian constitution. As well as its political significance, the timing also ensured that businesses and authorities would be caught off guard and unable to respond.
The attack also bears significant similarities to earlier attacks on Ukrainian infrastructure such as the BlackEnergy attacks in 2015, as McAfee lead scientist and principal engineer Christiaan Beek told Wired that the malware targeted "energy companies, the power grid, bus stations, gas stations, the airport, and banks", with shipping giant Maersk, food conglomerate Mondelez, and the National Bank of Ukraine among the victims.
The aim, many security professionals suspect, was to wreak as much havoc on Ukraine's economy and infrastructure as possible, while making it look like ransomware in order to capitalise on the residual fervour around WannaCry and throw investigators off the scent. The US, UK, Australian and Ukrainian governments have all accused Russia of orchestrating the attack, although Russia has strenuously denied its involvement.
It's interesting to note that the original Petya malware was named after a fictional Russian cyber weapon, which was intended to be used in retaliation for crimes committed against the Russian people. This may, however, be a coincidence.
What can we learn from NotPetya?
The spread of NotPetya was based in large part on the EternalBlue vulnerability, which has long since been patched. The faulty M.E.Doc software suspected of acting as an infection vector has also been dealt with, and NotPetya is no longer judged to be an active threat. However, it can still teach us some valuable lessons.
Beyond the usual best practice of making sure to apply software updates in a timely manner, the main takeaway from NotPetya is that, when it comes to cyber security, things are rarely as they first seem. Victims should never pay the ransom - as well as encouraging the criminals responsible, it is often no guarantee that you will get your data back anyway.