What is NotPetya malware?
NotPetya is a type of wiper malware that masquerades as ransomware but aims to render targeted systems and data completely unrecoverable. First observed in June 2017, it is closely related to the Petya family but is far more destructive. Once executed, it encrypts the Master File Table (MFT) on infected systems, making file recovery impossible. This malware is categorized as a cyber weapon due to its deliberate design to inflict widespread harm.
When was NotPetya first discovered?
NotPetya was first identified during a global outbreak on June 27, 2017. It was notably used in a cyberattack targeting Ukraine before quickly spreading to various industries and countries worldwide. Cybersecurity firms and government agencies attributed the malware's origin to this specific high-profile campaign.
Who created NotPetya?
The creation of NotPetya is widely attributed to the Russian military intelligence agency GRU. Specifically, the Sandworm team, a hacking division of the GRU, is believed to have developed and deployed the malware as part of broader geopolitical cyber operations.
What does NotPetya target?
NotPetya targets Windows-based systems and has primarily affected companies in critical industries such as logistics, healthcare, and critical infrastructure. The malware initially targeted organizations in Ukraine before spreading to multinational organizations, resulting in billions of dollars in damages globally.
NotPetya distribution method
NotPetya malware spreads primarily through a compromised update mechanism of the Ukrainian tax software M.E.Doc. Once embedded within a network, it exploits the EternalBlue vulnerability (CVE-2017-0144) and uses credential harvesting techniques like mimikatz to propagate laterally within local networks.
Technical analysis of NotPetya malware
NotPetya begins its infection by overwriting a system's Master Boot Record (MBR), making the system unbootable. It leverages EternalBlue and EternalRomance Windows vulnerabilities for lateral movement, along with admin credentials extracted through mimikatz. The malware's payload aims to encrypt the MFT, but without creating a means to decrypt it, reflecting its wiper malware nature.
Tactics, Techniques & Procedures (TTPs)
Exploits EternalBlue vulnerability (Windows SMBv1 protocol).
Leverages credential dumping tools like mimikatz.
Rapid lateral spread using stolen admin credentials.
Indicators of Compromise (IoCs)
IP addresses connected to malicious servers.
File hashes (e.g., 71b6a493388e7d0b40c83ce903bc6b04).
Known domain usage: "www.1dnscontrol.com".
How to know if you’re infected with NotPetya?
Systems infected with NotPetya often display symptoms such as crashed or unbootable devices, ransom notes demanding Bitcoin payments, and encrypted or inaccessible data files. Unusual lateral network activity may also indicate infection.
NotPetya removal instructions
Removing NotPetya malware requires disconnecting infected machines from the network to prevent further spread. While recovery efforts typically focus on rebuilding systems from backups, tools like Huntress' managed remediation services offer expert assistance for restoring operations.
Is NotPetya still active?
NotPetya is no longer active in its original form but has inspired similar malware campaigns. Its impact on cybersecurity has led to improved network monitoring and defense mechanisms globally. Variants or copycats could still exploit the same vulnerabilities it once did.
Mitigation & prevention strategies
Mitigating NotPetya requires patching all known vulnerabilities, particularly those related to SMB protocols (e.g., EternalBlue). Other strategies include enforcing multifactor authentication, maintaining regular system backups, and conducting ongoing user awareness training. Managed detection services like Huntress' 24/7 SOC can identify and neutralize threats similar to NotPetya.
Related educational articles & videos
FAQs
NotPetya is a highly destructive wiper malware that masquerades as ransomware. It encrypts the Master File Table on infected systems, rendering data completely unrecoverable, and spreads via exploits like EternalBlue and spear-phishing campaigns.
NotPetya initially spreads through compromised M.E.Doc software updates and propagates within networks by exploiting the EternalBlue vulnerability and harvesting administrative credentials for lateral movement.
While the original NotPetya is no longer active, its techniques and vulnerabilities remain commonly targeted. Organizations should maintain strong defenses, as variants or similar malware could emerge.
Organizations can protect themselves by patching known vulnerabilities, implementing multilayered cybersecurity measures, enforcing Multi-Factor Authentication (MFA), and deploying endpoint detection services like Huntress to monitor and neutralize threats early.
Protect What Matters
