What is NotPetya?

Graphic showing the NotPetya logo on a laptop

NotPetya is among the most fascinating malware incidents of recent history and came shortly after the infamous WannaCry ransomware outbreak.

Part of the reason why it’s so interesting is due to the way that it spread so rapidly between devices and networks, as well as the far-reaching impact that it had.

This name might cause some confusion, particularly for those aware of the Petya ransomware incident of 2016, which was named after a weapons system in the James Bond classic, GoldenEye.

Petya was a fairly run of the mill ransomware strain that encrypted Windows machines, with hackers demanding payment in Bitcoin for the return of data they'd seized. It was fairly unremarkable, beyond being the first strain to encrypt a victim’s master file table, as opposed to just the files on the drive. Then, however, Petya evolved, with a more powerful strain emerging the following year.

Known as NotPetya, this strain was far more noteworthy due to a few major tweaks that its creators had made. The use of EternalBlue, a Windows Server Message Block (SMB) exploit, in the attack method was among the most alarming features. This is the same exploit that allowed WannaCry to spread so rapidly, but it was combined at the time with password-harvesting tools based on Mimikatz to allow NotPetya to propagate between devices in a wormable fashion - spreading across businesses and corporate networks.

Detections were reported in several major countries including the UK, France, Italy, Germany, Poland, Russia and the US. This updated form of Petya was at its peak in Ukraine, however, with 80% of infections estimated to have occurred there.

Petya vs NotPetya: Other key differences

The other major difference between this ransomware and the earlier instances of Petya was that the initial Petya variants allowed the victim's machines to be decrypted after payment was made. NotPetya did not.

Despite being made to look like a traditional ransomware programme, it turned out that NotPetya had been specifically modified to make it technically impossible to recover the victim's files after the payload had been executed. The malware's splash screen included instructions on how to send a $300 bitcoin payment to a specific address, and an email address to contact the malware's authors, but there were clues (such as a hardcoded rather than dynamically-generated bitcoin wallet address) that the goal was not financial gain.

This made it a wiper' - malware designed purely to indiscriminately cripple or destroy its victims - rather than ransomware. But if the attackers weren't out to make money, then what was their real goal - and why make it look like 'genuine' ransomware? To answer this, we have to look at NotPetya's initial targets and the method in which they were infected.

Where did NotPetya originally come from?

As with any cyber attack, one should bear in mind that attribution is rarely a matter of certainty, and there is always the chance that clues that indicate a certain individual, group or government is responsible may in fact be false flags to disguise the true perpetrator. With that in mind, there is a substantial body of evidence to indicate that NotPetya was actually a politically-motivated cyber weapon deployed by Russia against Ukraine.

The first clue is the initial method that NotPetya used to infect its victims, which is believed to be a compromised piece of Ukrainian tax software called M.E.Doc. This software is extremely widespread throughout Ukrainian businesses, and investigators found that a backdoor in its update system had been present for at least six weeks before NotPetya's outbreak. Later analysis found that the M.E.Doc servers' software had not been updated since 2013, although M.E.Doc's developers claim that they were also victims of the hackers, rather than bearing full culpability.


How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation


At the time of the outbreak, Russia was still in the throes of conflict with the Ukrainian state, have annexed the Crimean peninsula less than two years prior. The attack was timed to coincide with Constitution Day, a Ukrainian public holiday commemorating the signing of the post-Soviet Ukrainian constitution. As well as its political significance, the timing also ensured that businesses and authorities would be caught off guard and unable to respond.

The attack also bears significant similarities to earlier attacks on Ukrainian infrastructure such as the BlackEnergy attacks in 2015, as McAfee lead scientist and principal engineer Christiaan Beek told Wired that the malware targeted "energy companies, the power grid, bus stations, gas stations, the airport, and banks", with shipping giant Maersk, food conglomerate Mondelez, and the National Bank of Ukraine among the victims.

The aim, many security professionals suspect, was to wreak as much havoc on Ukraine's economy and infrastructure as possible, while making it look like ransomware in order to capitalise on the residual fervour around WannaCry and throw investigators off the scent. The US, UK, Australian and Ukrainian governments have all accused Russia of orchestrating the attack, although Russia has strenuously denied its involvement.

It's interesting to note that the original Petya malware was named after a fictional Russian cyber weapon, which was intended to be used in retaliation for crimes committed against the Russian people. This may, however, be a coincidence.

What can we learn from NotPetya?

Although not as well-known as it used to be, NotPetya used to dominate the news cycle much like the SolarWinds cyber attack does today. Both are examples of Russian state-backed interference and many recent geopolitical events can be mirrored on the ones involving NotPetya over three years ago. In both cases, the US and UK had worked together in investigating the cyber attacks and publicly blamed the Russian government for being behind the attacks. Despite the accusations, both cases showed the limitations of state’s influence in preventing future attacks and making significant changes to states’ cyber security. However, these cases are not only proof that history likes to repeat itself, but have also taught Russian state-backed hackers that, apart from additional sanctions and a few diplomatic expulsions, Russia can largely get away with cyber attacks on Western countries. In fact, the latest Microsoft ​​Digital Defense Report states that it shows the hackers that “the US Government is still not sure where the red lines are for cyber operations”, which could lead to even more attacks.

The NotPetya attack itself can also teach us that, in the complicated world of cyber security, first impressions are not always factual. Moreover, it can serve as evidence that victims shouldn’t engage with hackers, and should definitely not pay any ransoms. Not only does it present zero guarantees that the data will be recovered, but also provides funding to hacking groups.

Fortunately, the EternalBlue vulnerability, which acted as an infection vector for NotPetya, has long since been patched. However, this doesn’t mean that the number of attacks have subsided: just because one issue seems resolved, doesn’t mean that any organisation is fully safe from ransomware.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.