NotPetya
Destructive cyberattack disguised as ransomware — exploitation of MS17-010 (CVE-2017-0144)
Summary
NotPetya was a destructive cyberattack that began on June 27, 2017, initially targeting Ukrainian organizations but rapidly spreading worldwide. Disguised as ransomware, it functioned as a data wiper, causing irreversible damage. Key facts: Attributed to Russian state actors (Sandworm group), initiated via a supply chain compromise in M.E.Doc tax software, exploited Windows vulnerabilities like EternalBlue (CVE-2017-0144), and resulted in estimated global damages of $10 billion.
Background
The attack was discovered on June 27, 2017, when Ukrainian companies reported system compromises. Security researchers quickly identified it as a variant of Petya malware but noted its wiper nature. The initial infection vector was a backdoored update in M.E.Doc software. Microsoft had released the relevant patch (MS17-010) on March 14, 2017, addressing the EternalBlue exploit used for lateral movement. No formal vendor notification was needed for the malware itself, but antivirus vendors updated signatures within days. Attribution to Russia's GRU was publicly announced by the US and UK in February 2018.
Impact
- Permanent data loss due to encryption of the master file table (MFT) and overwriting of the master boot record (MBR).
- Massive business disruptions, such as shipping giant Maersk halting operations and reinstalling 4,000 servers and 45,000 PCs.
- Financial losses exceeding $10 billion across industries, affecting companies like Merck, FedEx, and Rosneft.
- Scope extended to critical infrastructure, including power companies, banks, and airports in Ukraine and beyond.
- Exploitation potential: Rapid lateral spread in networks via unpatched systems, amplifying damage from a single entry point.
What is NotPetya
NotPetya is a malware variant based on the Petya ransomware family but designed as a destructive wiper rather than a profit-driven tool. It infects Windows systems, encrypts files, and demands a $300 Bitcoin ransom, but the encryption key is discarded, making recovery impossible. It spreads via supply chain attacks and exploits like EternalBlue in SMBv1, targeting primarily Windows 7 and older versions.
Implications
NotPetya underscores the dangers of nation-state cyber operations disguised as criminal activity, highlighting supply chain vulnerabilities and the need for rapid patching. Operationally, it poses risks of prolonged downtime and data loss; security-wise, it demonstrates how unpatched exploits enable widespread network compromise, potentially leading to espionage or further attacks.
Mitigation
Immediate (0–7 days)
- Apply Microsoft security update MS17-010 to patch EternalBlue.
- Disable SMBv1 protocol on all systems.
- Isolate potentially infected machines and scan with updated antivirus.
- Restore affected systems from offline backups.
Short-Term (1–4 weeks)
- Update all software and firmware to the latest versions.
- Implement network segmentation to limit lateral movement.
- Enable Windows Defender Credential Guard and firewall rules blocking unnecessary ports.
Medium-Term (1–3 months)
- Conduct comprehensive security audits and vulnerability scans.
- Train employees on phishing and safe software update practices.
- Deploy endpoint detection and response (EDR) tools.
Long-Term (3–6+ months)
- Adopt a zero-trust security model.
- Establish regular offsite backups and incident response plans.
- Monitor supply chain partners for security compliance.
Timeline
| Date | Event |
|---|---|
| March 14, 2017 | Microsoft releases MS17-010 patch for EternalBlue vulnerability. |
| May 12, 2017 | WannaCry ransomware exploits EternalBlue globally. |
| June 27, 2017 | NotPetya outbreak begins via M.E.Doc software update in Ukraine. |
| June 28, 2017 | Security researchers confirm it's a wiper, not recoverable ransomware. |
| February 15, 2018 | US and UK governments attribute the attack to Russian military intelligence. |
Key Takeaways
- Prompt patching of known vulnerabilities is critical to prevent exploit-based attacks.
- Supply chain security must be prioritized to avoid initial compromise vectors.
- Nation-state threats require robust incident response and attribution mechanisms.
- Offline backups are essential for recovery from destructive malware.
- Global interconnectedness amplifies the impact of targeted attacks.
References
- Wikipedia: 2017 Ukraine ransomware attacks
- Wired: The Untold Story of NotPetya
- Microsoft: How to mitigate rapid cyberattacks such as Petya
- CISA: Petya Ransomware Alert
- CrowdStrike: NotPetya Technical Analysis
Identification Tool
Checklist to confirm if a system is affected or vulnerable:
- Check for unexpected reboots and a fake CHKDSK screen displaying during boot.
- Look for a ransom note file (e.g., README.TXT) in the root directory or Windows folder.
- Verify if files are encrypted with no known extension changes or if the system is unbootable.
- Scan for presence of suspicious DLLs like perfc.dat or perfc.dll in C:\Windows.
- Use PowerShell to check if MS17-010 patch is installed (see script below).
- Check if SMBv1 is enabled: Run
Get-SmbServerConfiguration | Select EnableSMB1Protocolin PowerShell. - Run antivirus scans for NotPetya signatures.
PowerShell Check Script
Single script to detect if MS17-010 patch is installed and print status in green (OK) or red (update needed):
$hotfixes = "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012598", "KB4012606", "KB4013198", "KB4013429", "KB4015217", "KB4015438", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019215", "KB4019216", "KB4019264", "KB4019472", "KB4019473", "KB4019474"
$hotfix = Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -Property "HotfixID"
if ([string]::IsNullOrEmpty($hotfix)) {
Write-Host "Update needed" -ForegroundColor Red
} else {
Write-Host "OK" -ForegroundColor Green
}