Petya or NotPetya, That is the Question

On the 27th June 2017 a wide scale cyber attack Occurred. Encrypting devices throughout 80 companies to a point beyond repair, the White House estimated the attack resulted in $10 billion worth of damages worldwide. 80% of computers infected belonged to Ukrainian organisations, their partnering companies or organisations with offices networked there.The malware spread through M.E.Doc, accounting software used heavily across Ukraine. Cyber experts noted that although being more severe and widespread, the attacks shared code with previously identified piece of malware Petya, prompting them to name this new piece “NotPetya”.



In 2016 Kaspersky Labs detected Petya. The virus targeted Windows computers, spreading through phishing emails containing executable files disguised as PDFs of job candidate resumes, unpacking a malicious dynamic link library (DLL) setup when granted administrative permission. Compared to more traditional ransomware techniques of encrypting specific files, Petya overwrote the Master Boot Records (MBR), crashing the operating system. Restarting with the modified MBR prevented Windows from loading and instead displayed a fake “check disk operation” screen while the malware executed; encrypting the Master File Table (MFT) used by the New Technology File System (NTFS) to store information about files so the computer was unable to access them. Once completed, the computer displayed an ASCII ransom note screen demanding a $300 bitcoin payment with instructions to pay to regain access.



Photo by André François McKenzie on Unsplash

While Petya required administrator permissions to execute, soon after its release, variants began integrating companion ransom programs to overcome this limitation. One being Mischa, a more conventional ransomware, which used the Advanced Encryption Standard (AES) algorithm to encrypt specific files without the need for administrator permissions, so often you would see Mischa being installed if Petya wasn’t able to execute . It also created HTML and TXT files instructing users how to pay the ransom. Some organisations were heavily affected; but Petya’s requirement of human interaction meant it could be mitigated by training users to recognise fraudulent emails, and scanning emails to detect threats and filter executable files.




So what changed that allowed NotPetya to successfully spread throughout a network at speed? The use of backdoor exploits EternalBlue and Mimikatz gave NotPetya the ability to navigate through a network, finding and accessessing vulnerable computers to find and use administration credentials to access even patched computers across the shared network, now encrypting all the files not just the MBR. EternalBlue exploited a vulnerability (CVE-2017-0144) in Microsoft’s implementation of Server Message Blocks (SMB), a network protocol allowing users to connect with remote computers and servers across a network. This allowed attackers to send data packets across the network from an unpatched machine containing code to be executed remotely on a patched computer.


Although Microsoft produced a patch as the vulnerability was disclosed, many industrial firms were unable to handle the system down time to implement them. The EternalBlue exploit was initially developed by the US National Security Agency (NSA) and was leaked in 2018 by hacker group “The Shadow Brokers”. Mimikatz is an exploit for Windows that leverages a vulnerability that an encrypted password and the key to decipher it are held within a device’s memory. It was soon realised that this flaw could be used to easily access patched machines. As a result, attackers only needed access to one machine to gain access to all computers within the network, which in combination with EternalBlue, it could achieve at very fast speeds. The director of outreach at Cisco, Craig Williams, described the attack as “the fastest-propagating piece of malware we’ve ever seen. By the second you saw it, your data centre was already gone”. One Maersk IT administrator experienced the attack first hand, recalling that his computer spontaneously restarted, only to look up and watch in rapid succession as every other computer screen around the room also turned black. 



The consensus was that the Russian military was responsible for the 2017 attack due to Ukrainian national infrastructure and foreign businesses associated with Ukraine being the primary targets. The NCSC identified that the attack “had indicators of high levels of planning, research, technical capability, and resources”. Furthermore, the goal of the attacks appeared to be for disruption rather than financial gain due to flaws in the ransom payment process. The malware damaged storage drives and was not designed to be decrypted so victims could not retrieve their data, suggesting the attack was deliberately destructive and the attackers did not care about receiving payments.  



Petya’s biggest lesson to the industry is that malware is constantly iterated upon and that industries must be proactive as well as reactive to threats. Even though a piece of malware such as Peyta may have seemed easy to mitigate against, variants develop into ones which threaten entire operations in a very short time.



Due to NotPetya’s destructive capability, there is little that can be done after an attack. Therefore the only real way to protect yourself is to mitigate the threat before an attack occurs. This involves ensuring data cannot be lost with recent and tested offline backups, incorporating secure firewalls, setting strong administrative passwords (and limiting their use), and most importantly ensuring all devices on a network are discovered and patched. If you are worried your operational technology may be susceptible to cyber attacks, we at Awen Collective specialise in OT asset and vulnerability discovery, maximising the security of your networks. Feel free to contact us for a no obligation chat today!

Jake Hearn
Cyber Technologist
LinkedIn Profile