NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.
Associated Software Descriptions
|Enterprise||T1486||Data Encrypted for Impact|
|Enterprise||T1210||Exploitation of Remote Services|
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1070||.001||Indicator Removal on Host: Clear Windows Event Logs|
|Enterprise||T1003||.001||OS Credential Dumping: LSASS Memory|
|Enterprise||T1021||.002||Remote Services: SMB/Windows Admin Shares|
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1218||.011||Signed Binary Proxy Execution: Rundll32|
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery|
|Enterprise||T1569||.002||System Services: Service Execution|
|Enterprise||T1078||.003||Valid Accounts: Local Accounts|
|Enterprise||T1047||Windows Management Instrumentation|
Groups That Use This Software
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
- Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
- NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
- UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.