Dissecting NotPetya: So you thought it was ransomware

By Caleb Fenton, Joseph Landry, Nir Izraeli, Itai Liba, and Udi Shamir, Senior Security Researchers, SentinelOne Labs

NotPetya was in the news this week, making headlines for being yet another ransomware attack that spread like fire – affecting organizations in several verticals across 65+ countries, drawing comparisons with the WannaCry attack that recently hit over 200,000 machines globally.

While it shows characteristics similar to a ransomware, NotPetya is more akin to a wiper, which is generally regarded as a malware responsible for destroying data on the target’s hard disk. The ransom collection as of this writing is just over $10,000. Additionally, the email address used in the ransom request have since been shut down.

NotPetya infects the master boot record (MBR) and prevents any system from booting. And even paying the ransom would not have recovered the machine! In that sense, it is also different from the 2016 Petya threat in that the damage from NotPetya is not reversible.

NotPetya leveraged the EternalBlue (well-known with WannaCry) as well as EternalRomance, both exploiting the MS17-010 vulnerability. However, the attackers also leverage other non-exploit, legal mechanisms to laterally spread – such as psexec and windows management interface, further expanding the reach to include machines patched for the MS17-010 vulnerability.

SentinelOne customers using SentinelOne Enterprise Protection Platform are proactively protected against this MBR attack. However, we also advise customers to ensure that all machines have installed the latest Windows updates to reduce the threat impact. Additionally, limiting or removing administrative permissions for regular users will further reduce the attack surface.

Check out our “Dissecting NotPetya: So you thought it was ransomware” report which includes a more technical analysis of NotPetya, including how it is installed and how it spreads.