What is NotPetya?

NotPetya: Understanding the Worst Cybersecurity Attack and Its Global Impact on Multinational Corporations

NotPetya is a type of ransomware that shook the world of cybersecurity in June 2017. Named after Petya, a similar ransomware that was released a year earlier, NotPetya is a type of malicious software (malware) that encrypts the data on victims' computers, effectively locking them out of their own files, and demands a ransom in Bitcoin for the data to be unlocked.

NotPetya took things a step further than the average ransomware: security experts soon found that its goal was not to extort money from its victims, but to disrupt, damage and generally aggravate. Shockingly sophisticated, while it appeared to function predominantly as an aggressive and effective ransomware campaign, it was eventually deemed to be more akin to a cyber weapon released with the aim of causing disruption and destruction.

The origin of NotPetya was traced back to a legitimate Ukrainian tax software company, M.E.Doc, which researchers believe was unknowingly distributing the malware to their clients through their software updates. This was achieved by first sabotaging the company's server updates with a corrupted version that contained the NotPetya malware. Once inside a corporate network, the malware then used a variety of wrangled together methods gleaned from multiple antivirus and malware protection layers to spread rapidly.

NotPetya adopted advance propagation techniques to automatically move itself unhelped across networks, infecting more devices. A key factor in NotPetya’s ability to propagate across infected networks was its use of the EternalBlue exploit. This vulnerability, originally discovered by the US National Security Agency (NSA) and leaked by a hacking group known as the Shadow Brokers, allowed NotPetya to spread quickly within networks from one machine to another.

Also, the malware carried out what's called a 'credential dumping' attack, exploiting vulnerabilities in Windows operating systems. This enabled it to steal login details and continue spreading, even on systems that had been patched against EternalBlue.

Unlike previous kinds of ransomware, NotPetya didn't simply encrypt files on the affected systems - it infected and overwrote the Master Boot Record (MBR), a critical part of a computer's hard drive that's necessary for it to boot up. When the computer was restarted, a ransom note would be displayed demanding payment. But unlike other ransomware which release the encryption keys once the ransom was paid, NotPetya provided no mechanism to do that – this wasn't about making money.

From a cybersecurity perspective, NotPetya represented a shift from financial cybercrime to pure cyber destruction. This impact was global, with it hitting numerous organisations around the world from various different sectors, including the Danish shipping firm Maersk, British advertiser WPP, and Russian oil company Rosneft.

Where antivirus and cybersecurity strategies are concerned, the NotPetya attack highlighted the importance of keeping software up to date, and of having robust and comprehensive data backups in place. One can patch the vulnerabilities that NotPetya exploited, but more critical is a change of mindset at a strategic level. Organisations need to assume a solid cybersecurity posture that not only handles incidents when they occur but also prevents, detects, and responds to these threats in a proactive way.

NotPetya serves as a stark reminder of the finesse, ambiguity, and progressive nature of the contemporary cyber threat landscape. Its legacy persists as a poignant example of the escalating cyber warfare tensions on a global scale, emphasising the demand for enhanced cybersecurity measures, collaborative efforts and international regulation to tackle the threats that the digital world continues to face.

NotPetya FAQs