NotPetya: a wiper boosted with NSA exploits

Filter by category:

August 23, 2017 by Julia Juvigny
On June 27th, 2017, less than 2 months after the Wannacry ransomware attack that hit hundreds of thousands of computers in more than 150 countries, a new worm has caused panic in the IT services of more than 2,000 companies. Called NotPetya, this new attack initiated its distribution in Ukraine before spreading worldwide. It appears more sophisticated than its counterpart Petya, mainly because of the new spreading techniques it introduces. This article provides an overview of this surprising attack.

A ransomware with an unmatched performance

In a blog post, Microsoft explains that the infection occurred at 10:30 am GMT (12:30 pm French time) on MEDoc, a tax accounting software used in Ukraine. According to Microsoft, Cisco Talos, Kaspersky Lab and the Ukrainian police, an attacker has compromised the MEDoc software updater process. When the update was installed, all MEDoc’s users have been impacted. From this point, the real attack began1. Also, a watering hole attack could have been used2, notably through the websites "[/]news/" and "montenegro-today[.]com".

This attack spread to Ukraine, in particular to Kiev subway ticket machines (users could no longer buy tickets by credit card) and to Kiev Borispil airport, where most of the billboards were turn down. Then, this ransomware impacted other European countries and the United States, affecting 2.000 companies according to Kaspersky. The US pharmaceutical group Merck, the French construction materials company Saint-Gobain or even the Danish shipping and transport firm AP Moller-Maersk were most notably confronted to this cyberattack3.

A supermarket impacted by NotPetya in Ukraine (source: Twitter)

How does NotPetya work?

Spreading. Once a machine is infected, NotPetya uses several lateral propagation vectors that allows it to attack computers within the same network. NotPetya is spreading on a local network using the WMIC and PSExec tools, as well as exploiting the EternalBlue (EB) and EternalRomance (ER) vulnerabilities, NSA’s powerful Windows hacking tools disclosed earlier this year by the Shadow Broker group (see the blog posts published by Nicolas Kovacs and Peter Stiehl). NotPetya seeks IT systems to compromise by scanning on the network the TCP / 139 and TCP / 445 ports4 to identify the Microsoft File Sharing Service.

Functionnality. NotPetya checks if the user account has administration rights on the machine, controls the presence of three major antiviruses on the market and adapts its behavior accordingly. For example, if Symantec and Norton are installed on the system, the malware will not try to propagate through the SMB security vulnerabilities, but only through the other methods described above. If Kaspersky antivirus is installed, NotPetya overwrites the first 10 sectors of the physical hard disk, including the Master Boot Record (MBR).

As for the file encryption, it targets at least the user files (more than sixty targeted extensions). Under conditions that remain to be determined, it will also rewrite the MBR to make it impossible to access the system and display its ransom request when restarted. In addition, it programs the restart of the machine within 10 to 60 minutes5.

Example of NotPetya code (Source: SecureList)


Depending on the conditions, it will erase the System, Setup, Security and Application event files and delete the NTFS log. It appears that the file encryption is performed when the first message of NotPetya type CHKDSK6 is displayed. The shutdown of the machine concerned at this time could stop the encryption of the files, but that remains to be confirmed. Once the message requesting the ransom is displayed7, the files would already be encrypted.

An "automated" infection

Unlike WannaCry, NotPetya embeds a code close to the auditing and attacking tool Mimikatz8 on the compromised system and uses again existing session accounts to access other machines through Microsoft file sharing. Therefore, NotPetya uses the same tools as those used by pentesters in an internal intrusion test mission ... That is something to really think about the nature of the malware designers. NotPetya is thus able to infect fully updated machines, demonstrating its striking power.

What if NotPetya was not a ransomware?

Companies affected by NotPetya may never recover impacted filesystems. Indeed, it seems that when the MBR is written, it is in an irreversible way that will prevent the system rehabilitation. Regarding the the encrypted files, the AES encryption key that is generated and then encrypted with an RSA public key theoretically gives the authors the ability to offer the aforesaid key to perform the decryption, provided they have the associated private key.

NotPeyta does have the same behavior of a wiper, a malware that destroys the MBR. In any case, the victims also realized that it was very difficult to make a payment in order to recover their data, knowing that the email address provided to the victims was blocked and no longer worked.

Source : Twitter

Another troubling element: instead of using a Bitcoin portfolio per victim, there was only one address for everyone, easily traceable. On June 28th, only 46 companies have paid the ransom of 300 dollars, for an anecdotal amount of 10,000 dollars.


Several good practices may be applied to avoid being infected:

• Frequently update software and antivirus on the relevant systems;
• Pay particular attention to email attachments.

More specifically, the following measures are recommended:

• Vaccination by creating an empty file named "C: \ windows \ perfc" (without the extension) is mentioned, but could only block one of the propagation modes (WMIC);
• Microsoft Bulletin MS17-010 patch enforcement prevents exploitation of EB and ER vulnerabilities; disabling the SMBv1 protocol produces the same effect;
• In the event of infection, and if possible, the disabling or the blocking of Microsoft File Share between all systems should prevent the spread of the worm.


While with Wannacry, malware designers have been able to create a hydride ransomware, by combining a ransomware with a worm, NotPetya provides the ability to use lateral propagation techniques targeting up-to-date systems. He finally has a wiper behavior by the non-reversible crushing of the Master Boot Record.