Petya/NotPetya Ransomware

What Is Petya Ransomware?

The Petya (AKA Goldeneye) ransomware strain was first discovered in early 2016. Although not considered an apex ransomware strain, it employed a distinct technique—overwriting the target hard drive's Master Boot Record (MBR) and encrypting its Master-File-Table (MFT)—and was considered a novel ransomware threat at the time. 

Petya's approach to locking a victim's computer effectively expedited the ransom stage of an attack because encrypting a system's MFT is much faster than encrypting each file individually. However, multiple flaws in Petya's implementation resulted in predictable encryption key values and allowed a victim's locked files to be restored without paying any ransom.

Petya vs. NotPetya

In mid-2017, cybersecurity researchers discovered a novel variant of Petya imposing the same malicious techniques with an unflawed encryption scheme. In addition, the new variant was, in fact, not ransomware but a destructive wiper malware. Attempts to pay the ransom were left unanswered.

Dubbed Not-Petya, the new variant was the subject of a joint Cybersecurity Advisory by the US Department of Homeland Security (DHS), ICS-CERT, and cybersecurity agencies in Australia, Canada, New Zealand, and the United Kingdom due to the high risk to critical infrastructure.

NotPetya was found to have been disproportionately leveraged against Ukranian targets via a trojanized application named MEDoc, approved by the Ukranian government for organizations to pay corporate taxes. NotPetya also compromised hundreds of global victims in a short period, including civilian critical infrastructure, approximately 80 affected medical facilities, the FedEx Corporation subsidiary, and a large US pharmaceutical manufacturer, causing approximately $1 billion in losses. In 2020, the US Department of Justice (DoD) indicted six Russian military intelligence officers accused of developing NotPetya.

NotPetya is also capable of leveraging known vulnerabilities in exposed public services such as EternalBlue and EternalRomance and has worm-like features to automatically move laterally within an infected network, while Petya relies on email phishing and trojanized applications for initial access and can only target a single system.

However, the most notable difference between Petya and NotPetya is that while Petya's encryption scheme is flawed, potentially allowing victims to recover their system, NotPetya's encryption scheme is unforgiving and its extortion offers disingenuous.

The signs of a Petya attack are painfully obvious since the malware quickly and automatically reboots the target system post-infection. Upon reboot, a host infected with Petya displays a bright red screen with a distinctive ASCII skull-and-bones and a ransom note with a personal decryption code and directs the victim to pay the ransom via a dark web .onion TOR site or enter their already obtained decryption key. 

How to Prevent a Petya Attack

Petya and NotPetya ransomware can be detected and blocked by advanced cybersecurity products such as EDR and XDR solutions that scan files for malware signatures and monitor system subprocesses to identify malicious activity in progress. 

  • Implement modern Identity and Access Management (IAM) tools
  • Install and configure advanced endpoint security products on all endpoints to detect indicators of compromise (IOCs) and take defensive action to block malware payloads from executing
 CylanceENDPOINT provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.