NotPetya
NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][1][2]
Associated Software Descriptions
Name | Description |
---|---|
GoldenEye | [1] |
Petrwrap | [1] |
Nyetya | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1003 | Credential Dumping |
NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[1][2][3] |
Enterprise | T1486 | Data Encrypted for Impact |
NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[1][2] |
Enterprise | T1210 | Exploitation of Remote Services |
NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.[1][2] |
Enterprise | T1070 | Indicator Removal on Host | |
Enterprise | T1036 | Masquerading | |
Enterprise | T1085 | Rundll32 |
NotPetya uses |
Enterprise | T1053 | Scheduled Task |
NotPetya creates a task to reboot the system one hour after infection.[1] |
Enterprise | T1035 | Service Execution |
NotPetya can use PsExec to help propagate itself across a network.[1][2] |
Enterprise | T1195 | Supply Chain Compromise |
NotPetya's initial infection vector for the June 27, 2017 compromise was a backdoor in the Ukrainian tax accounting software M.E.Doc.[1][2][5] |
Enterprise | T1529 | System Shutdown/Reboot |
NotPetya will reboot the system one hour after infection.[1] |
Enterprise | T1078 | Valid Accounts |
NotPetya can use valid credentials with PsExec or |
Enterprise | T1077 | Windows Admin Shares |
NotPetya can use PsExec, which interacts with the |
Enterprise | T1047 | Windows Management Instrumentation |
NotPetya can use |
References
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.