NotPetya Spectrum Report: Threat, Vulnerability, Attack and Impact (TVAI)

7 min readMar 19, 2022

Waking up to phones ringing incessantly and numerous urgent emails flooding executive inboxes with paralyzed corporations seeking answers. For many, this was their nightmare the morning of June 27, 2017, when NotPeyta infected a software supply chain in Ukraine called M.E.Doc (MeDoc), a tax accounting software. The infection spread quickly to numerous businesses and more than 60 countries. This cyberattack changed the world’s perception of destructive cyberattacks.

NotPetya malware is a variant from a family of ransomware under Petya. As the name says, NotPetya is “not” Petya, but a variant of Petya with a different objective to wipe and destroy user data. Petya is a family of encryption ransomware with multiple variants, each with its own destructive missions and goals.

NotPetya made its debut in 2017 when it targeted the Ukraine company MeDoc, and since then, more victims have suffered due to this malware. The malware was first seen in the wild in 2016 and initially attributed to Janus Cybercrime Solutions, then in 2017 attributed to the Sandworm Team, a destructive threat group operated by Russia’s General Staff Main Intelligence Directorate (GRU) military unit 74455 (MITRE, 2022).

Threat Groups Using NotPetya

Researchers believe that Sandworm Team is Russia’s most destructive cyber gang; other aliases include Unit 74455, Voodoo Bear, BlackEnergy, Iron Viking, and Telebots. MITRE states this group has been active since at least 2009, and it works closely with another GRU-affiliated unit called Unit 26165, known as APT28 or Fancy Bear (MITRE, 2022). Analysts believe that some of the Sandworm Team’s cyberattacks received assistance from APT28. Table 1 depicts some of the more significant known attacks attributed to the Sandworm Team.

Table 1

Sandworm Team Cyberattacks

It is important to note that attributing attacks to specific cyber actors and/or nation-states is challenging and not always absolute. Attribution takes substantial time with significant corroborating evidence resources, and even then may not be 100%. It is believed that NotPeyta was created by the GRU and weaponized for global operations. Researchers have not seen other nation-states or cyber gangs using the malware in their campaigns.

Primary Use of NotPeyta

Most of the Petya variants are ransomware. NotPetya, however, looks like traditional ransomware but instead a destructive wiper. Peyta is a typical run of the mil ransomware designed to encrypt machines then demand bitcoin ransom for the decryption key. With NotPetya, even if victims pay the ransom, it is technically impossible to retrieve their data because it is likely corrupted, unretrievable, or destroyed.

It is suspected that NotPetya was created as a politically-motivated cyber weapon for Russia’s global cyberattacks, with a focus on Ukraine. Analysts believe the motivation is not financial gain because the threat actors use hardcode rather than dynamic bitcoin wallet addresses and do not provide a successful way for victims to send payment. Instead, the motivation is to cause significant destruction by crippling or destroying its victims’ reputation and/or infrastructure.

There is some speculation on why NotPetya was concealed as ransomware. One conclusion is to confuse researchers while wreaking havoc on Ukraine’s economy while using EternalBlue to attribute it to the month prior cyber-attack of WannaCry ransomware. (WannaCry ransomware used EnternalBlue to exploit networks) There is no concrete evidence that Russia was intentionally masquerading NotPeyta as ransomware, this speculation by researchers.

Alignment with MITRE ATT&CK

Some researchers believe that Russia attempted to attribute the MeDoc cyber-attack to WannaCry because of EtneralBlue, and similar to WannaCry, NotPetya attacks Windows Operating Systems. The EnternalBlue is a Windows Server Message Block (SMB) exploit. NotPetya combines SMB with Mimikatz, a password-harvesting tool to move laterally and propagate between devices in a worm-like fashion. This allowed faster spread across corporations and affiliates networks.

Figure 2 provides a visual representation of NotPetya malware entering the network through the MeDoc service. The malware then executes and extracts relevant components to disks, including PsExec (Network remote execution tool) and a credential dumping tool. Eventually, the malware exploits the SMB vulnerabilities of EnternalBlue (CVE-2017–0144) and EternalRomance (CVE-2017–0145) to exploit then move laterally to encrypt and destroy data.

Figure 2

NotPetya: Exploitation and Lateral Movement (Microsoft, 2017)

Once NotPetya is active on the machine, it overrides the Master Boot Record (MBR), causing it to crash. After the host machine reboots, the user sees the “chkdsk” screen masquerading as a repair screen. At this time, the malware encrypts all the user files. Next, there are instructions for the user to send a BitCoin payment to an email address which is hard-coded to webmail that was shut down, making it impossible to pay the ransom.

Figure 3

Example Fake chkdsk Screen

There is no way for victims to send money and receive a decryption key. Experts believe that the cyber gang’s motivations are not financial gain but data destruction by means of crypto-shredding (Nielsen, 2017). Table 2 visually depicts the Tools and techniques used within the malware.

Table 2

MITRE NotPetya Tools and Techniques (MITRE, 2022)

NotPeyta is a variant of Petya. At this time, there are no known variants of NotPeyta; however, many variants of Petya malware spawned the creation of NotPetya. As seen above, over a dozen different tactics, techniques, and procedures (TTP’s) are deployed by this malware.

Who & What is Vulnerable to NotPetya

The conditions on the Ukraine network that allowed NotPeyta to spread quickly persist in many organizations today. A key concern is the unmanaged networks that cannot patch or lack visibility to identify vulnerable machines. Patching is a primary concern for many organizations, and maintaining patching can be burdensome. ServiceNow conducted interviews with over 3,000 security professionals and determined that 60% of breaches in 2019 were connected to a security vulnerability that could have been mitigated by proper patch management (Brady, 2019).

Vulnerability management is essential for all organizations to maintain good cyber hygiene. Two months before the breach on MeDoc, there was a patch issued for EternalBlue. Poor vulnerability management left MeDoc highly vulnerable to this large-scale attack.

Network segmentation provides solutions to organizations to isolate portions of networks allowing better access control. Segmentation can help organizations contain and limit damages if attacked by NotPetya. Poor network segmentation allows NotPetya to spread quickly. However, less than one in five companies are willing to implement network segmentation because of perceived complexities (Lemos, 2019).

Intent and Recent Attacks

Andy Greenberg at Wired declared in August of 2018 that the 2017 attack was “an act of cyberwar by almost any definition,” which really encapsulates how much damage and destruction this malware caused (Wired, 2018). The total estimated damages of this malware are more than $10 billion. It has brought down power plans, banks, metro systems, and the world’s largest container shipping company Maersk.

Five years after the historical NotPetya attack, NotPetya is still a threat. To date, there have been no large-scale attacks using this malware. Some are attributing NotPetya and Russia to the most recent cyberattacks in Ukraine.

In January 2022, researchers believe this malware impacted the machines of government agencies and related organizations within Ukraine (Wired, 2022). The machines were locked up and displayed a ransom demand of $10,000 in bitcoin. Upon further review of the hard drives, they were already corrupted and unable to restore any data even with an encryption key. This case is still under investigation, and no substantial attribution has been announced against NotPetya or Russia.

Potential Trust Relationships Compromised

Researchers say that MeDoc was vulnerable since 2013 due to poor patch management (Campanu, 2013). The software was backdoored three times, while a known patch was available for EtnernalBlue to prevent or at least mitigate the NotPetya attack.

It appears that the company MeDoc is no longer operating, or they changed their corporate name. Possible rebranding was done to rebuild brand integrity and reputation.

Final Thoughts and Conclusions

The significance that NotPetya is created to wipe and destroy data could significantly impact the healthcare industry. At this time, there is no evidence that the Sandworm Team will target healthcare. Their focus is industrial controls systems, electrical and power generators. As mentioned above, the GRU created the malware for global operations focused on Ukraine.

CISA provides insights on cybersecurity measures to protect against NotPetya.

References

Brady, J. (2019, October 29). ServiceNow research shows that despite the increase in cybersecurity spending, breaches increased in 2019. Www.businesswire.com. https://www.businesswire.com/news/home/20191029005304/en/ServiceNow-Research-Shows-Increase-Cybersecurity-Spending-Breaches

CISA. (2018, February 15). Petya Ransomware | CISA. Www.cisa.gov. https://www.cisa.gov/uscert/ncas/alerts/TA17-181A

Department of Justice. (2020, October 19). Six Russian GRU officers charged in connection with the worldwide deployment of destructive malware and other disruptive actions in cyberspace. Www.justice.gov. https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and

Greenberg, A. (2022, January 16). Destructive hacks against Ukraine echo its last cyberwar. Wired. https://www.wired.com/story/russia-ukraine-destructive-cyberattacks-ransomware-data-wiper/

Microsoft. (2017, October 3). Advanced Threat Analytics security research network technical analysis: NotPetya. Microsoft Security Blog. https://www.microsoft.com/security/blog/2017/10/03/advanced-threat-analytics-security-research-network-technical-analysis-notpetya/

Lemos, R. (2019, December 18). Few firms use segmentation, despite security benefits. Dark Reading. https://www.darkreading.com/application-security/few-firms-use-segmentation-despite-security-benefits

MITRE. (2017). NotPetya | MITRE ATT&CKTM. Mitre.org. https://attack.mitre.org/software/S0368/

Neilsen, A. (2017, July 3). From ransomware to wipeware: How NotPetya is changing the threat landscape. Druva. https://www.druva.com/blog/ransomware-wipeware-how-notpetya-is-changing-threat-landscape/#:~:text=NotPetya%20works%20by%20overwriting%20the