Glossary > Petya (NotPetya)

Spear Phishing Attack

Petya (NotPetya)

What Is Petya Ransomware?

Learn about Petya and how to protect against an attack.

Definition

Petya is a ransomware strain that infects Microsoft Windows-based computers. Like other forms of ransomware, Petya encrypts data on infected systems. The data is unlocked only after the victim provides the encryption key, usually after paying the attacker a ransom for it.

 

History

Though first discovered in 2016, Petya began making news in 2017 when a new variant was used in a massive cyberattack against Ukrainian targets. It quickly spread worldwide, crippling businesses and causing more than $10 billion in damages.[1]

The new variant, also dubbed “NotPetya” because of key differences with the original, spread using an exploit known as EternalBlue. The exploit was developed by—and later stolen from—the U.S. National Security Agency (NSA). Once on a compromised system, EternalBlue exploits a flaw in Windows networking protocols to silently spread across networks. Unlike most malware, NotPetya infected new systems without the user doing anything. That behavior made NotPetya more like a “ransomworm” than a traditional virus.

NotPetya was narrowly targeted, though quickly grew into a wider threat. And despite displaying the usual signs of a ransomware attack—such as the ransomware demand—wasn’t designed to actually collect any money. Those traits led researchers to conclude that the virus was a state-sponsored destructive attack, not an act of cybercrime.

 

Analysis

According to the Ukrainian police, the NotPetya attack started by subverting the update function of that government’s accounting software. A second wave of attacks spread through malware-laden phishing emails.[2]

Though it exploited the same flaw as an earlier ransomware strain called WannaCry, it had more options for spreading itself. That made NotPetya much more resilient to cyber defenses. At the same time, it wasn’t designed to spread beyond the initially infected environment. This limited the spread and is consistent with the theory that NotPetya was a narrowly targeted attack rather than a cyber criminal’s cash grab.

Once it has infected a system, Petya waits about an hour before rebooting the machine. It then displays the text “Repairing file system on C:” and warning users not to turn off their computers. As users wait, Petya is actually encrypting their files. Finally, the system reboots again, displaying the ransom demand.

The NotPetya ransom, however, is nearly impossible to pay. The attackers’ contact email was hard-coded to a webmail address that was quickly shut down. So there’s no way for victims to send the money or get the decryption key.

 

How to Remove Petya

Like most ransomware, Petya is difficult to remove after it has infected a system. In most cases, the victim has to decide whether to pay the ransom (in hopes of actually getting the encryption key) or erasing everything and restoring it from backup. The best approach to avoid ransomware altogether. Here’s what to do before, during and after an attack.

Before the Attack

The best security strategy is to avoid ransomware altogether. This requires planning and work—before the crisis hits.

  • Back up and restore
    The most important part of any ransomware security strategy is regular data backups. Surprisingly few organizations run backup and restore drills. Both halves are important; restore drills are the only way to know ahead of time whether your backup plan is working.

  • Update and patch
    Keep operating systems, security software and patches up to date for all devices.

  • Train and educate users
    Employee training and awareness are critical. Your people should know what to do, what not to do, how to avoid ransomware, and how to report it. If employees receive a ransomware demand, they should know to immediately report it to the security team—and never, ever try to pay on their own.

  • Invest in robust people-centric security solutions
    Even the best user training won’t stop all ransomware. Advanced email security solutions protect against malicious attachments, documents, and URLs in emails that lead to ransomware.
     

During the Attack: Contain the Damage and Get Back to the Business

While the best ransomware strategy is to avoid it in the first place, this advice means nothing if you’re newly infected.

You have short-term problems to resolve, like getting computers, phones, and networks back online, and dealing with ransom demands.

  • Turn the computer off and disconnect from the network
    Petya waits about an hour after infecting a system before rebooting and displaying a message that the file system is being “repaired.” If the machine is turned off immediately, some files may be saved, experts say.[2]
    The moment employees see the ransomware demand or notice something is odd, they should disconnect from the network and take the infected machine to the IT department.
    Only the IT security team should attempt a reboot, and even that will only work in the event it is fake scareware or run-of-the-mill malware.

  • Call law enforcement
    Ransomware is a crime—theft and extortion are in play. Notifying the proper authorities is a necessary first step.

  • Determine scope of problem based on threat intelligence
    Your response—including whether to pay the ransom— hinges on several factors:

    • The type of attack
    • Who in your network is compromised
    • What network permissions any compromised accounts have
  • Orchestrate a response
    A big part of your response is deciding whether to pay the ransom. The answer is complicated and may require you to consult law enforcement and your legal counsel. In some cases, paying may be unavoidable.

  • Don’t count on free ransomware decryption tools
    Most free tools work for only a single strain of ransomware or even a single attack campaign. As attackers update their ransomware, the free tools fall out of date and likely won’t work for your ransomware.

  • Restore from Backup
    The only way to completely recover from a ransomware infection is restoring everything from backup. But even with recent backups, paying the ransom might make more financial and operational sense.

After the Attack: Review and Reinforce

We recommend a top-to-bottom security assessment to find threats that may still linger in your environment. Take a hard look at your security tools and procedures—and where they fell short.

  • Cleanup
    Some ransomware contains other threats or backdoor Trojans that can lead to future attacks. In other cases, the victim’s environment was already compromised, opening a door for the ransomware.
    Look closer for hidden threats that you may have overlooked in the chaos.

  • Post-mortem review
    Review your threat preparedness, the chain of events that led to the infection, and your response. Without figuring out how the ransomware attack got through, you have no way of stopping the next attack.

  • Assess user awareness
    A well-informed employee is your last line of defense. Make sure employees, staff or faculty are up to the task.

  • Education and training
    Develop a curriculum to address employee vulnerability to cyber attacks. Create a crisis communications plan in the event of a future attack, and follow-up with drills and penetration testing.

  • Reinforce your defenses
    Today’s fast-changing threat landscape requires security solutions that can analyze, identify and block—in real time—the malicious URLs and attachments that serve as ransomware’s primary attack vehicles.
    Seek out security solutions that can adapt to new and emerging threats and help you respond to them faster.

 

[1] Andy Greenberg (Wired). “The Untold Story of NotPetya, the Most Devastating Cyberattack in History.” October 2018.

[2] Olivia Solon and Alex Hern (The Guardian). “'Petya' ransomware attack: what is it and how can it be stopped?” June 2017.