Last Updated on September 29, 2023 by Satyendra
The most well-known malware assaults in recent memory, Petya and NotPetya, have disrupted global commerce and caused significant losses. Petya first surfaced in 2016 as a ransomware attack demanding Bitcoin decrypt the victims’ files. On the other hand, NotPetya first appeared in 2017 and was first mistaken for a Petya variation. Yet it ultimately proved to be a destructive wiper virus, which led to widespread anarchy and monetary losses.
In this blog, we’ll examine the specifics of these two ransomware, their motives, and their terrible effects on people, businesses, and even governments. We will also discuss the takeaways from these assaults and how to defend against such dangers in the future.
What is Petya Ransomware and How Does It Spread?
Petya is a type of ransomware that infects a targeted computer, encrypts the data on it, and then leaves a message for the victim on how to recover it. They request Bitcoin payment to obtain the key to retrieve the data.
Unlike prior ransomware outbreaks, which merely encrypt specific key files to blackmail the victim, Petya locks up a computer’s whole hard disk. In particular, it encrypts the Master File Table (MFT) of a computer, making it difficult to retrieve any files stored on the hard disk.
Petya has only been spotted targeting PCs running Windows. A computer infected by the Petya virus will restart, show a flashing skull, and go into lock mode.
Petya, like many previous ransomware assaults, spreads primarily through email attachments working as a Trojan horse. Attackers submit bogus job applications through email to HR departments. The attached Documents include executable files or an infected Dropbox link depending on the attack approach.
The ransomware would start working as soon as someone enabled Petya and granted it administrative access. Like a boot sector virus, it would replace the Master Boot Record (MBR) to encrypt the hard disk after rebooting the target’s computer. Petya-infected computers’ files were not encrypted, damaged, or lost, but they were inaccessible. Petya would demand Bitcoin from victims to re-establish access.
Notable Petya Attacks and Damages
Petya ransomware has been responsible for several notable cyber-attacks over the years, causing significant damage to organizations and individuals alike. Here are some of the unique attacks.
- In December 2016, Petya was used to launch a cyber-attack on the Ukrainian power grid which resulted in a widespread blackout that left more than 200000 people without electricity.
- In June 2017, the Ukrainian accounting software company M.E.Doc was the initial target of a Petya attack that quickly spread to other companies and organizations worldwide. The attack caused massive disruptions, including shutting down the radiation monitoring system at the Chornobyl nuclear plant.
- In June 2017, the French multinational company Saint Gobain was hit by a Petya attack that affected its production lines, causing the company to shut down its systems and leading to an estimated $384 million in damages.
Prevention and Protection Mechanisms Against Petya
Petya ransomware always infiltrates organizations through email attachments, so in preventing them, an organization must ensure that the emails are secured. Organizations should scan emails for malware, block email attachments from unknown sources, and educate staff about the dangers of opening unknown files.
Further, maintaining backup copies of vital files does not prevent ransomware infestations but does aid in recovery. In an assault that renders files inaccessible, such as Petya, this may be the only option to recover the files.
What is NotPetya Ransomware and How Does It Spread?
In June 2017, a new strain of ransomware, similar to Petya in many ways, struck companies worldwide. Security provider Kaspersky called it “NotPetya” because of its resemblance to Petya, but with a few key distinctions.
NotPetya ransomware, like Petya, infected the victim’s whole hard disk. NotPetya, on the other hand, encrypted the entire hard disk rather than just the MFT. It spread swiftly and unexpectedly, infecting large networks with multiple vulnerability exploits and credential theft methods.
The NotPetya virus appears similar to Petya in some ways: it encrypts the master file table and displays a page seeking a Bitcoin payment to recover file access.
NotPetya spreads by itself. NotPetya uses a variety of strategies to propagate without the need for human interaction. The first infection vector appears to have been through a backdoor inserted in M.E.Doc, an accounting software program used by nearly every firm in Ukraine.
NotPetya attacked computers from Medoc’s servers and spread to other machines using several tactics, including EternalBlue and EternalRomance. This allowed it to propagate quickly across networks without user participation.
Notable NotPetya Attacks
NotPetya was a destructive malware attack that caused widespread damage and disruption in 2017. Here are some notable NotPetya attacks:
- NotPetya caused significant disruptions to the computer systems of the Danish shipping company Maersk, causing an estimated loss of $300 million. The attack led to the company’s computer systems shutting down, forcing it to resort to manual operations for several weeks.
- In June 2017, NotPetya hit several Ukrainian banks and government institutions, including the central bank, airport, and metro system. The attack caused significant disruption to the country’s financial and transportation systems.
- The British consumer goods company Reckitt Benckiser was hit by NotPetya in June 2017, causing widespread disruptions to its computer systems and leading to a loss of over $130 million.
- NotPetya also affected the operations of global courier delivery services provider FedEx in June 2017. The company’s subsidiary, TNT Express, had to shut down its systems and was forced to rely on manual processes.
Protection and Prevention Mechanisms against NotPetya
Nowadays, NotPetya ransomware is no longer in circulation, and most modern antivirus programs can detect and prevent it from infecting your computer. However, the group behind NotPetya and its creators continue to develop and deploy destructive cyber weapons to destabilize the world. Some of these hacker groups are backed by hostile governments and are constantly evolving their ransomware and other malware.
The Eternal Blue vulnerability utilized by NotPetya had a fix accessible months before the assaults. Ransomware attacks, in general, frequently leverage software flaws to infiltrate or move laterally within a network. These attack vectors can be reduced by updating software and fixing vulnerabilities.
To stay protected against these threats, educating computer users on how to recognize phishing emails and avoid downloading attachments or clicking on links in suspicious emails is crucial. Implementing a patch management system, a vulnerability manager, and a configuration manager is essential to ensure your system is up-to-date and secure against hacker activity.
Differences Between Petya and NotPetya Ransomware
The NotPetya virus mimics Petya in many ways. After encrypting the file or data, Petya displays a request to pay a Bitcoin ransom to gain access to the contents. NotPetya is more harmful and robust.
A NotPetya virus spreads on its own in a computer, but a Petya virus requires the user to open and download the malicious file. Petya typically arrives as an attachment to an email and infects computers once opened. NotPetya does not require human intervention to exploit.
NotPetya is a more advanced form of malware that not only employs the encryption techniques used by Petya but also goes beyond them by targeting a more significant number of files to cause damage to the computer’s hardware.
NotPetya is not strictly ransomware, but it displays a message on the infected computer’s screen that prompts the user to pay a bitcoin ransom in exchange for their encrypted data. In contrast, Petya’s message demands an upfront ransom payment and a specific amount of Bitcoin. Additionally, NotPetya generates a random identifier instead of using a unique identifier to verify whether the ransom has been paid or not.
The Impacts of Petya and NotPetya Ransomware Attacks
The impacts of Petya and NotPetya ransomware attacks were widespread and severe, causing significant disruptions to individuals, organizations, and even entire countries. Here are some of the impacts of these attacks:
- The attacks caused massive financial losses to organizations, including costs related to remediation efforts, system downtime, and lost revenue. For example, the NotPetya attack on Maersk resulted in an estimated $300 million loss, and the attack on Merck led to a loss of $1.3 billion.
- The attacks caused significant disruptions to the operations of affected organizations, including system downtime, loss of critical data, and the need to resort to manual processes. In the case of Maersk, the company had to shut down its computer systems and rely on manual processes for several weeks, leading to significant delays in its operations.
- The attacks on critical infrastructure, such as the Ukrainian power grid, posed a significant risk to public safety. In the case of the power grid attack, over 230,000 people were left without electricity for several hours.
- The attacks also significantly impacted the reputations of affected organizations, with customers losing trust in their ability to protect sensitive data and critical systems.
- The attacks on Ukrainian institutions, attributed to Russian hackers, led to further tensions between the two countries and a worsening of their strained relationship.
What are some of the Importance of Cybersecurity Measures?
The value of cyber security in the digital age cannot be overstated. A single security compromise can have far-reaching implications in today’s linked world. As a result, cyber security is critical to safeguard organizations and individuals from the potentially disastrous effects of a security breach.
With cybersecurity measures in place, organizations may be sure that illegal access to their network or data is prevented. Benefits accrue to the organization, employees, and end users.
Cybersecurity improves not just detection but also mitigation and reaction. If an attacker employing modern tactics is successful, the recovery procedure is much faster. Furthermore, organizations will frequently realize that customers and developers are more confident in products with robust cybersecurity solutions.
How Lepide Can Help Detect and Respond to Petya and NotPetya Ransomware
The Lepide Data Security Platform can detect and respond to a wide variety of ransomware variants. As ransomware attacks access and encrypt files at a rapid pace using a compromised user account, they leave symptoms that can be tracked. For example, Lepide has the ability to raise an alert based on a threshold, such as a large number of files being renamed or file access attempts in a short space of time. Once Lepide detects this activity, either through a threshold alert or through our out-of-the-box ransomware threat model, a custom script can be executed to shut down the compromised user account and prevent further spread.
Conclusion
The Petya and NotPetya malware attacks were among the recent most significant cybersecurity incidents. They serve as cautionary tales for individuals, businesses, and governments worldwide. The attacks were highly destructive and sophisticated, causing billions of dollars in damages and disrupting operations for countless organizations.
Both attacks highlighted the importance of cybersecurity measures and the need for organizations to proactively protect themselves from such threats. It is essential to keep systems up-to-date with the latest security patches and to implement robust security protocols, including multi-factor authentication and strong password policies. Additionally, organizations should conduct regular security audits and training sessions for their employees to promote awareness and best practices.
If you’d like to see more about the Lepide Data Security Platform, and how it can detect and prevent ransomware spread, schedule a demo with one of our engineers.