What Is Petya Ransomware?
The Petya (AKA Goldeneye) ransomware strain was first discovered in early 2016. Although not considered an apex ransomware strain, it employed a distinct technique—overwriting the target hard drive's Master Boot Record (MBR) and encrypting its Master-File-Table (MFT)—and was considered a novel ransomware threat at the time.
Petya's approach to locking a victim's computer effectively expedited the ransom stage of an attack because encrypting a system's MFT is much faster than encrypting each file individually. However, multiple flaws in Petya's implementation resulted in predictable encryption key values and allowed a victim's locked files to be restored without paying any ransom.
Petya vs. NotPetya
In mid-2017, cybersecurity researchers discovered a novel variant of Petya imposing the same malicious techniques with an unflawed encryption scheme. In addition, the new variant was, in fact, not ransomware but a destructive wiper malware. Attempts to pay the ransom were left unanswered.
Dubbed Not-Petya, the new variant was the subject of a joint Cybersecurity Advisory by the US Department of Homeland Security (DHS), ICS-CERT, and cybersecurity agencies in Australia, Canada, New Zealand, and the United Kingdom due to the high risk to critical infrastructure.
NotPetya was found to have been disproportionately leveraged against Ukranian targets via a trojanized application named MEDoc, approved by the Ukranian government for organizations to pay corporate taxes. NotPetya also compromised hundreds of global victims in a short period, including civilian critical infrastructure, approximately 80 affected medical facilities, the FedEx Corporation subsidiary, and a large US pharmaceutical manufacturer, causing approximately $1 billion in losses. In 2020, the US Department of Justice (DoD) indicted six Russian military intelligence officers accused of developing NotPetya.
NotPetya is also capable of leveraging known vulnerabilities in exposed public services such as EternalBlue and EternalRomance and has worm-like features to automatically move laterally within an infected network, while Petya relies on email phishing and trojanized applications for initial access and can only target a single system.
However, the most notable difference between Petya and NotPetya is that while Petya's encryption scheme is flawed, potentially allowing victims to recover their system, NotPetya's encryption scheme is unforgiving and its extortion offers disingenuous.
How to Prevent a Petya Attack
Petya and NotPetya ransomware can be detected and blocked by advanced cybersecurity products such as EDR and XDR solutions that scan files for malware signatures and monitor system subprocesses to identify malicious activity in progress.
- Implement modern Identity and Access Management (IAM) tools
- Install and configure advanced endpoint security products on all endpoints to detect indicators of compromise (IOCs) and take defensive action to block malware payloads from executing