Petya and NotPetya: The basics

NotPetya superficially resembles the Petya ransomware in several ways, but there are a number of important ways in which it's different, and much more dangerous.

Credit: Petya

Petya and NotPetya are two related pieces of malware that affected thousands of computers worldwide in 2016 and 2017. Both Petya and NotPetya aim to encrypt the hard drive of infected computers, and there are enough common features between the two that NotPetya was originally seen as just a variation on a theme. But NotPetya has many more potential tools to help it spread and infect computers, and while Petya is a standard piece of ransomware that aims to make few quick Bitcoin from victims, NotPetya is widely viewed as a state-sponsored Russian cyberattack masquerading as ransomware.

What is Petya?

Petya is ransomware — a form of malware that infects a target computer, encrypts some of the data on it, and gives the victim a message explaining how they can pay in Bitcoin to get the keys to get their data back. The name derives from a satellite that was part of the sinister plot in the 1995 James Bond film GoldenEye; a Twitter account suspected of belonging to the malware's author used a picture of actor Alan Cumming, who played the villain, as its avatar.

Petya malware

The initial version of the Petya malware, which began to spread in March of 2016, arrives on the victim's computer attached to an email purporting to be a job applicant's resume. It's a package with two files: an image of young man (supposedly of the job applicant, but actually a stock image) and an executable file, often with "PDF" somewhere in the file name. The plan is to get you to click on that file, and to subsequently agree to the Windows User Access Control warning that tells you that the executable is going to make changes to your computer. (Petya only affects Windows computers.) 

How Petya works

If you make the extremely bad decision to agree to this request, Petya will reboot your computer. You'll see what looks like the standard Windows CHKDSK screen you expect to see after a system crash. In fact, the malware is already working behind the scenes to make your files unreachable. What earned Petya the description "the next step in ransomware evolution" despite its initially unimpressive infection rate is the way it encrypts your files. Rather than searching out specific files and encrypting them, like most ransomware does, it installs its own boot loader, overwriting the affected system's master boot record, then encrypts the master file table, which is the part of the filesystem that serves as sort of a roadmap for the hard drive. In essence, your files are still there and still unencrypted, but the computer can't access the part of the filesystem that tells it where they are, so they might as well be lost. At this point, the ransomware demands a Bitcoin payment in order to decrypt the hard drive.

As noted, in order to perform this kind of high-level bad behavior, Petya needs the user to gullibly agree to give permission to make admin-level changes. A couple of months after Petya first began to spread, a new version appeared that was bundled with a second file-encrypting program, dubbed Mischa. Mischa kicks in if the user denies Petya admin-level access; it's only a garden-variety piece of ransomware, just encrypting individual files. (Unusually, it also encrypts .exe files, which may end up interfering with the victim's ability to pay the ransom.)

Petya/NotPetya

Petya was thus at first just another piece of ransomware, with an unusual twist in how it encrypted files. But in June of 2017 that all changed radically. A new version of the malware began spreading rapidly, with infection sites focused in Ukraine, but it also appeared across Europe and beyond. The new variant spread rapidly from computer to computer and network to network without requiring spam emails or social engineering to gain administrative access; the radical advances in its capabilities led Kaspersky Lap to dub it NotPetya, a name that stuck.

NotPetya virus

The NotPetya virus superficially resembles Petya in several ways: it encrypts the master file table and flashes up a screen requesting a Bitcoin ransom to restore access to the files. But there are a number of important ways in which it's different, and much more dangerous:

  • NotPetya spreads on its own. The original Petya required the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya exploits several different methods to spread without human intervention. The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that's used by almost every company Ukraine.  Having infected computers from Medoc’s servers, NotPetya used a variety of techniques to spread to other computers, including EternalBlue and EternalRomance, two exploits developed by the United States NSA to take advantage a flaw in the Windows implementation of the SMB protocol. It can also take advantage of a tool called Mimi Katz to find network administration credentials in the infected machine's memory, and then use the PsExec and WMIC tools built into Windows to remotely access other computers on the local network and infect them as well.
  • NotPetya encrypts everything. The NotPetya malware goes far beyond the original Petya trick of encrypting the master boot record, going after a number of other files to seriously screw up your hard drive.
  • NotPetya isn't ransomware. This is in fact the most shocking — and important — thing about NotPetya. It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet. For Petya, this screen includes an identifying that they're supposed to send along with the ransom; the attackers use this code to figure out which victim just paid up. But on computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair.

So what's NotPetya's real purpose? The fact that it saw an abrupt and radical improvement in efficiency over its Petya ancestor implies a creator with a lot of resources — a state intelligence or cyberwarfare agency, say. That, combined with the 2017 attack's focus on the Ukraine, caused many to point their finger at Russia, with whom Ukraine has been involved in a low-level conflict since the occupation of Crimea in 2014. This accusation was taken up by the Ukrainian government itself, and many Western sources agree; Russia has denied involvement, pointing out that NotPetya infected many Russian computers as well.

Petya Microsoft patch

The most important vulnerability to patch to avoid infection by the NotPetya variant is the SMB flaw exploited by EternalBlue. This hole can be patched by MS17-010, which was actually available in March of 2017, several months before the NotPetya outbreak. Still, despite the fact that that the widely publicized WannaCry outbreak, which occurred just weeks before NotPetya hit and exploited the same hole, brought widespread attention to the MS17-010's importance, there were still enough unpatched computers out there to serve as an ecosystem for NotPetya to spread.

Petya and Windows 10

Many of the computers infected by NotPetya were running older versions of Windows. Microsoft says that Windows 10 was particularly able to fend of NotPetya attacks, not just because most installs auto-updated to fix the SMB vulnerability, but because improved security measures blocked some of the other ways NotPetya spread from machine to machine.

More on Petya and NotPetya:

 

Join the newsletter!

Error: Please check your email address.

More about CSOKasperskyMicrosoftNSATwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Josh Fruhlinger

Latest Videos

More videos

Blog Posts

Market Place