What is NotPetya?
We take a look at the malware that first came to prominence in 2016 and targets Windows–based machines
Coming hot on the heels of the notorious WannaCry ransomware outbreak, NotPetya is one of the more interesting malware incidents in recent memory. Part of this is because of its rapid spread and widespread impact, and part of is the intention behind its release.
To Petya or to NotPetya? That is the question
NotPetya may initially seem like a slightly confusing name - especially if you're also aware of the Petya ransomware which did the rounds in 2016. For those that may not remember, Petya (named after a weapons system in GoldenEye) was a fairly straightforward ransomware, encrypting Windows systems in exchange for bitcoin payments. While it was notable for being the first major ransomware to encrypt the victim's master file table rather than simply the files on the drive, it was otherwise relatively unremarkable.
A much more noteworthy version appeared the following year, in June 2017. Although infections were reported in the United Kingdom, France, Italy, Germany, Poland, Russia and the US, this new version of the Petya ransomware is believed to have originated in Ukraine, where 80% of infections were estimated to have occurred [ESET LINK].
This malware used the same basic payload as Petya, with a few tweaks that made it unique - hence the name NotPetya. One was the use of EternalBlue, a Windows Server Message Block exploit that was leaked by the Shadow Brokers and believed to have been . This is the same exploit that allowed WannaCry to spread like wildfire and, in combination with password-harvesting tools based on Mimikatz, it allowed NotPetya to worm its way from machine to machine within a network.
Slash and burn
The other major difference between this ransomware and the earlier instances of Petya was that the initial Petya variants allowed the victim's machines to be decrypted after payment was made. NotPetya did not.
Despite being made to look like a traditional ransomware program, it turned out that NotPetya had been specifically modified to make it technically impossible to recover the victim's files after the payload had been executed. The malware's splash screen included instructions on how to send a $300 bitcoin payment to a specific address, and an email address to contact the malware's authors at, but there were clues (such as a hardcoded rather than dynamically-generated bitcoin wallet address) that the goal was not financial gain.
This made it a wiper' - malware designed purely to indiscriminately cripple or destroy its victims - rather than ransomware. But if the attackers weren't out to make money, then what was their real goal - and why make it look like genuine' ransomware? To answer this, we have to look at NotPetya's initial targets and the method in which they were infected.
From Russia with love
As with any cyber attack, one should bear in mind that attribution is rarely a matter of certainty, and there is always the chance that clues which indicate a certain individual, group or government is responsible may in fact be false flags to disguise the true perpetrator. With that in mind, there is a substantial body of evidence to indicate that NotPetya was actually a politically-motivated cyber weapon deployed by Russia against Ukraine.
The first clue is the initial method that NotPetya used to infect its victims, which is believed to be a compromised piece of Ukrainian tax software called M.E.Doc. This software is extremely widespread throughout Ukrainian businesses, and investigators found that a backdoor in its update system had been present for at least six weeks before NotPetya's outbreak. Later analysis found that the M.E.Doc servers' software had not been updated since 2013, although M.E.Doc's developers claim that they were also victims of the hackers, rather than bearing full culpability.
At the time of the outbreak, Russia was still in the throes of conflict with the Ukrainian state, have annexed the Crimean peninsula less than two years prior. The attack was timed to coincide with Constitution Day, a Ukrainian public holiday commemorating the signing of the post-Soviet Ukrainian constitution. As well as its political significance, the timing also ensured that businesses and authorities would be caught off guard and unable to respond.
The attack also bears significant similarities to earlier attacks on Ukrainian infrastructure such as the BlackEnergy attacks in 2015, as McAfee lead scientist and principal engineer Christiaan Beek told Wired that the malware targeted "energy companies, the power grid, bus stations, gas stations, the airport, and banks", with shipping giant Maersk, food conglomerate Mondelez, and the National Bank of Ukraine among the victims.
The aim, many security professionals suspect, was to wreak as much havoc on Ukraine's economy and infrastructure as possible, while making it look like ransomware in order to capitalise on the residual fervour around WannaCry and throw investigators off the scent. The US, UK, Australian and Ukrainian governments have all accused Russia of orchestrating the attack, although Russia has strenuously denied its involvement.
It's interesting to note that the original Petya malware was named after a fictional Russian cyber weapon, which was intended to be used in retaliation for crimes committed against the Russian people. This may, however, be a coincidence.
What can we learn from NotPetya?
The spread of NotPetya was based in large part on the EternalBlue vulnerability, which has long since been patched. The faulty M.E.Doc software suspected of acting as an infection vector has also been dealt with, and NotPetya is no longer judged to be an active threat. However, it can still teach us some valuable lessons.
Beyond the usual best practice of making sure to apply software updates in a timely manner, the main takeaway from NotPetya is that, when it comes to cyber security, things are rarely as they first seem. Victims should never pay the ransom - as well as encouraging the criminals responsible, it is often no guarantee that you will get your data back anyway.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now