NotPetya
What is NotPetya?
NotPetyaA June 2017 destructive wiper masquerading as ransomware, spread via a backdoored M.E.Doc update and attributed to Russia's Sandworm.
NotPetya, also tracked as ExPetr or NotPetya/Petya.A, emerged on 27 June 2017 as ransomware but was a destructive wiper designed for maximum disruption. Initial access came through a backdoored update of the Ukrainian accounting software M.E.Doc; the malware then spread inside corporate networks using EternalBlue, EternalRomance and Mimikatz-derived credential theft. It overwrote the master boot record and irreversibly damaged data even when victims paid. Damages exceeded 10 billion USD, hitting Maersk, Merck, FedEx-TNT, Saint-Gobain and many Ukrainian government systems. The US, UK and EU attributed NotPetya to Sandworm (GRU Unit 74455), framing it as the most damaging cyberattack in history.
● Examples
- 01
Maersk reinstalls 45,000 PCs and 4,000 servers in ten days after NotPetya wipes its entire global infrastructure.
- 02
An organization detects a malicious M.E.Doc update by validating vendor binaries against signed hashes.
● Frequently asked questions
What is NotPetya?
A June 2017 destructive wiper masquerading as ransomware, spread via a backdoored M.E.Doc update and attributed to Russia's Sandworm. It belongs to the Malware category of cybersecurity.
What does NotPetya mean?
A June 2017 destructive wiper masquerading as ransomware, spread via a backdoored M.E.Doc update and attributed to Russia's Sandworm.
How does NotPetya work?
NotPetya, also tracked as ExPetr or NotPetya/Petya.A, emerged on 27 June 2017 as ransomware but was a destructive wiper designed for maximum disruption. Initial access came through a backdoored update of the Ukrainian accounting software M.E.Doc; the malware then spread inside corporate networks using EternalBlue, EternalRomance and Mimikatz-derived credential theft. It overwrote the master boot record and irreversibly damaged data even when victims paid. Damages exceeded 10 billion USD, hitting Maersk, Merck, FedEx-TNT, Saint-Gobain and many Ukrainian government systems. The US, UK and EU attributed NotPetya to Sandworm (GRU Unit 74455), framing it as the most damaging cyberattack in history.
How do you defend against NotPetya?
Defences for NotPetya typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NotPetya?
Common alternative names include: ExPetr, Petya.A, Nyetya.
● Related terms
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- vulnerabilities№ 389
EternalBlue (CVE-2017-0144)
An NSA-developed exploit for a 2017 Microsoft SMBv1 remote code execution vulnerability, leaked by the Shadow Brokers and used by WannaCry and NotPetya.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
● See also
- № 1027Shadow Brokers Leak
- № 966Sandworm Team