NotPetya is a variant of the Petya ransomware, a type of malware that targets Microsoft Windows-based systems. It was first discovered in June 2017 and caused a significant global cyberattack, primarily targeting Ukraine. NotPetya infects the master boot record, encrypts the file system table, and prevents Windows from booting, demanding a Bitcoin payment to regain access to the infected system.
Unlike the original Petya, NotPetya uses the EternalBlue exploit (which is believed to have been developed by the NSA) to take advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol. The NotPetya attack was attributed to the Russian government, specifically the Sandworm hacking group within the GRU, and caused over $10 billion in damages worldwide, affecting numerous global companies and causing widespread disruption.
How does NotPetya work?
NotPetya works by infecting and encrypting computers running Microsoft Windows systems. Here’s a step-by-step explanation of how NotPetya works.
Initial infection
The NotPetya malware is delivered onto a victim’s computer, often through phishing emails or exploiting software vulnerabilities. In the 2017 attack, it was suspected to be spread through a Ukrainian tax preparation program, M.E.Doc, via its software update mechanism.
Exploiting EternalBlue and other methods
NotPetya uses the EternalBlue exploit, which targets a vulnerability in the Windows Server Message Block (SMB) protocol. This allows the malware to spread rapidly across a network. It also employs other propagation methods like PsExec, WMI, and EternalRomance to infect other systems within the same network.
Infecting the Master Boot Record (MBR)
Once inside a system, NotPetya infects the computer’s master boot record (MBR), which is a crucial part of the system responsible for starting the operating system. This infection allows the malware to take control of the entire system.
Encryption
NotPetya encrypts the Master File Table of the NTFS file system on the infected computer. This prevents Windows from accessing the files or booting the system. The encryption key is generated using a randomly generated string and the victim’s machine ID.
Ransom demand
After the system is encrypted, the malware displays a ransom message on the victim’s screen, informing them that their files have been encrypted and demanding a payment in Bitcoin to regain access to their files and system.
Deleting data
Unlike traditional ransomware, it is believed that NotPetya is designed mainly for destruction rather than financial gain, as its encryption routine does not store the necessary information for decryption. This means that even if a ransom is paid, it is probably impossible to recover the encrypted data.
In summary, NotPetya works by infiltrating a computer system, exploiting vulnerabilities to infect the MBR, encrypting the file system, and demanding a ransom payment, all while causing significant destruction and disruption.
Who and what was affected by NotPetya?
The NotPetya attack in June 2017 had a widespread impact across various countries and sectors, with Ukraine being the primary target, accounting for around 80% of all infections. Several prominent multinational companies and industries were affected, causing significant operational disruption and resulting in substantial financial losses. Here are some of the notable companies and organizations affected by NotPetya:
- Maersk Line: The world’s largest container shipping company faced significant operational disruptions, estimating losses of approximately $200 million to $300 million.
- Merck & Co.: The American pharmaceutical company suffered disruptions and financial losses, with damages estimated at around $870 million.
- Rosneft: Russia’s largest oil producer experienced temporary disruptions to its oil production and some of its IT systems.
- WPP: The British multinational advertising and public relations company faced disruptions to IT systems across multiple subsidiaries and locations.
- DLA Piper: The global law firm encountered disruptions to its communication and IT systems, impacting operations in multiple countries.
- Saint-Gobain: The French multinational corporation faced a severe impact on its operations and losses.
- Beiersdorf: The German personal care products manufacturer suffered significant losses due to NotPetya.
- DHL: The global logistics company faced disruptions in its operations in some countries, including Ukraine.
- Mondelez International: The American multinational food and beverage company suffered significant damages.
- Heritage Valley Health System: The Pennsylvania-based healthcare provider faced disruptions to its operations, including surgeries and appointments.
Apart from these companies, various sectors in Ukraine, such as the government, financial institutions, energy providers, transportation, and infrastructure, were adversely affected. The malware also compromised the radiation monitoring system at the Chernobyl Nuclear Power Plant, leading to offline monitoring for a brief period.
Overall, the NotPetya attack had severe consequences for numerous businesses worldwide, leading to an estimated total of over $10 billion in global damages and highlighting the destructive potential of cyberattacks.
What was the impact of NotPetya?
The NotPetya malware had a considerable impact on various levels, including economic, operational, and cybersecurity aspects. Some of the major impacts include:
Economic losses
NotPetya led to significant financial losses for the affected companies and countries. The total estimated global economic damage exceeded $10 billion. Many companies suffered operational disruptions and loss of revenue, while also incurring additional costs due to recovery efforts and system restoration.
Operational disruptions
Organizations from different sectors, including shipping, pharmaceuticals, oil and gas, manufacturing, and logistics, experienced delays, communication failures, and system outages. These disruptions had a cascading effect across the global supply chains, affecting numerous businesses and economies.
Increased cybersecurity awareness
The NotPetya attack served as a wake-up call for businesses and governments, highlighting the importance of robust cybersecurity measures and driving them to allocate more resources towards enhancing their cyber defenses and preparedness.
Insurance implications
The NotPetya attack led to a significant dispute between Mondelez International and its insurer, Zurich, regarding the coverage of losses caused by a cyberattack considered an act of war. This case has implications for the insurance industry, as it raises questions about the scope of coverage for cyber insurance and government-sponsored cyberattacks.
Geopolitical tensions
The attribution of the NotPetya attack to the Russian government, specifically the Sandworm hacking group within the GRU, intensified geopolitical tensions between Russia and countries like the US, UK, Canada, and Australia. This further highlighted the role of nation-state actors and cyber warfare in the global political landscape.
Policy and regulatory changes
The NotPetya attack reinforced the need for policymakers and regulators to address cybersecurity threats and establish clearer guidelines for cyber insurance, private sector security, and the role of government in supporting cyberattack victims.
In summary, the impact of NotPetya was multifaceted, causing severe economic losses, operational disruptions, heightened cybersecurity awareness, insurance implications, geopolitical tensions, and policy debates. The attack’s scale and consequences emphasize the importance of a collective effort by businesses, governments, and individuals to mitigate and prepare for future cyber threats.
How do you protect against NotPetya?
Protecting against NotPetya, or similar ransomware attacks, requires a combination of proactive measures and best cybersecurity practices. Here are some steps to protect your systems and data from NotPetya and similar threats:
Install security patches
Ensure that all software, operating systems, and applications are up-to-date with the latest security patches. In particular, install the patches released by Microsoft addressing the EternalBlue vulnerability in Windows’ Server Message Block (SMB) protocol.
Use antivirus software
Install and regularly update reliable antivirus programs, and enable real-time scanning to detect and block ransomware and other malicious software.
Implement a firewall
Set up a strong firewall to monitor and control incoming and outgoing network traffic. This can help prevent unauthorized access to your systems.
Backup data
Regularly backup your important files and data to an external storage device or cloud storage. Ensure that your backups are not connected to the main system at all times so that they remain unaffected by any potential attack.
Disable macros and scripts
Disable macros and scripts in Microsoft Office documents, as they can be used to deliver and execute malware payloads.
Restrict administrative privileges
Limit user permissions and access rights to restrict the potential actions and damage that malware can cause. Grant administrator rights only to necessary users.
Implement network segmentation
Segment your network, separating critical systems and data from less important ones. This can reduce the potential spread of ransomware and other malware.
Train employees
Provide cybersecurity education and training for employees to help them identify phishing emails, suspicious websites, and other potential threats. Encourage them to report any suspicious activities or incidents immediately.
Implement email security
Use email security measures such as spam filters, email authentication, and content scanning to reduce the chances of receiving malicious emails and attachments.
Create read-only files
As a specific prevention measure for NotPetya, create read-only files named “perfc” and/or “perfc.dat” in the Windows installation directory. This could prevent NotPetya’s payload from executing.
Remember that no method can offer complete protection from all potential threats. However, by applying these best practices and maintaining good cyber hygiene, you can significantly reduce the risk of falling victim to NotPetya and other ransomware attacks.