Answers to how the NotPetya Ransomware is infecting systems and spreading, and how you can combat it

Souti Dutta
By Souti Dutta

July 3, 2017

key Takeaways from This Article

The History of Cloud Computing

  • A new breed of ransomware known as NotPetya/SortaPetya/Petnahas is spreading rapidly
  • NotPetya is the most hazardous ransomwares in cyber history
  • Ukraine appears to be the most impacted from the attack
  • NotPetya and WannaCry display a few similar attributes
  • There is a vaccine that can block encryption – currently effective on the NotPetya version


A sudden outbreak of Petya-like ransomware dubbed as NotPetya/SortaPetya/Petnahas has triggered a wave of panic across Europe and is spreading to the United States. UK, Ukraine, Italy, the Netherlands, Spain, and Denmark are probably the most impacted ones. The Petya or NotPetya ransomware Trojan is a Ransomware-as-a-Service (RaaS) malware family, and was first identified in 2016. The attackers have demanded $300 in Bitcoin in exchange for the decryption key, and have left the email ID: wowsmith123456[@] as part of the contact details.

Victims So Far

Anton Gerashchenko, an aide to the Ukrainian Interior Minister, has stated that this infection is “the biggest in Ukraine’s history.” The attack has spread across industries. Kievenergo, a utility company, turned off all of their computers after Petya breached their network. Another power company, Ukrenergro, has also reported that they have been affected by the malware. Ukraine’s Central Bank has issued a warning on their website regarding how several banks within the country have also been targeted by threat actors. The Ukrainian deputy prime minister, Pavlo Rozenko, tweeted an image of a black computer screen stating that the entirety of the government’s computer systems has been shut down because of the Trojan.

The malware distribution has also reached entities in Denmark and France. The Danish conglomerate company, Maersk, has stated that its customers are unable to use online booking systems and that their internal systems are offline.

Saint-Gobain, a French manufacturing company, has also released a statement discussing that they too have been affected by Petya.

New Petya Variant Mimicking WannaCry

Based on a few captured NotPetya samples, we’ve concluded that the author of this Petya variant has taken inspiration from the WannaCry epidemic that we witnessed in the month of May. However, unlike WannaCry, Petya encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that limits the access of its victims only to the ransom note and prevents the infected computers from booting. Due to this, Petya can be considered more dangerous and intrusive compared to WannaCry or any other strains of ransomware.

NotPetya mimics WannaCry heavily in terms of the added SMB exploit functionality, which allows Petya to spread across the local area network. Security researchers have confirmed that a modified version of ETERNALBLUE has been used similar to WannaCry and is found targeting vulnerabilities addressed in MS17-010.

Other than ETERNALBLUE, a remote code exploit known as ETERNALROMANCE has also been found in the current strains of NotPetya.

How Petya Infects?Infection Routes

It has appeared that NotPetya took two distinct routes to gain access to systems:

  • Route 1: A malicious software update for popular Ukrainian accounting software is the first source of infection. The software is known as M.E.Doc. According to various sources, an unknown attacker compromised M.E.Doc’s update server and later pushed a malicious .DLL file as an update. Once the update reached and executed on client’s systems, it initiated further infection and spreading phases.
  • Route 1: Other usual, same-old routes of malspam that we are noticing are:
    • Weaponised MS-Office docs (mostly RTF) delivered to the Inbox –these documents carry exploits for vulnerabilities addressed in CVE-2017-0199.
    • Once opened and approved to execute, the malicious HTA handler downloads and runs the NotPetya installer.
    • It later initiates the SMB worm module (via utilising WMI and PSEXEC) and spreads to new computers on the same network

Infection Phases

The NotPetya ransomware waits for 10-60 minutes post infection to initiate a system reboot. Encryption of MFT table starts once the system reboots. The existing MBR will get overwritten with a customized bootloader during this phase, which presents a ransom note to its victims.

Infection Spreads

After a successful encryption, the worm module activates and starts enumerating all available network adapters. Next, it ascertains all known server names via NetBIOS and current DHCP leases (if available). It Probes every IP addresses on the local network for open TCP ports 445 and 139. Machines that have these ports open will be infected by copying the ransomware module from the original infected system.

The ransomware also uses a tweaked edition of Minikatz tool, which arms the malware to extract network administrator credentials out of the machine's primary memory. In the event the Trojan is unable to exploit SMB related vulnerabilities, it will run the said tool to capture the credentials and execute on other machines using PsExec and WMIC to infect them.

Target Industries

Government, Harbour terminals, Airports, Electricity grids, Banks, Factories (mining and steel), Insurance companies, Pharmaceutical, Military, Russian steel, and Metro transportation

Is there a Kill Switch?

Security researchers have identified something similar to a “Kill Switch”. It mostly appeared as a vaccine as it cannot be used centrally (by registering as a domain) to stop the spread across the globe. Its utility is limited to the local system. By creating a read-only file under C:\Windows\ using the name “perfc” it is possible to stop the encryption with the current version of NotPetya.

Although, this blocks NotPetya from executing, it doesn't stop it from spreading on the network. Note, the ransomware is designed to spread internally within an hour or so from its first hit.

How can this be prevented?

  1. Since this ransomware variant is targeting Microsoft’s Office/WordPad RCE Vulnerability and SMB Vulnerability, consumers should ensure that all security issues are patched.
  2. Disabling SMBv1 is required.
  3. Network and host-based firewalls should actively block TCP/445 traffic from untrusted systems.
  4. Isolate any unpatched systems from the network to prevent it from getting infected.
  5. Keep an offline backup of critical data on desktops and servers.
  6. Use the vaccine to keep the hosts immune from the NotPetya massacre.

It important to remember that post infection it takes up to 60 mins for the system to reboot. The Encryption of MFT table starts only once the system reboots, so this crucial time can be used for

Tags: blog


Souti Dutta