NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][2][3][4]
Name | Description |
---|---|
ExPetr | |
Diskcoder.C | |
GoldenEye | |
Petrwrap | |
Nyetya |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1486 | Data Encrypted for Impact |
NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[1][2][4] |
|
Enterprise | T1210 | Exploitation of Remote Services |
NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.[1][2][4] |
|
Enterprise | T1083 | File and Directory Discovery |
NotPetya searches for files ending with dozens of different file extensions prior to encryption.[4] |
|
Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs |
NotPetya uses |
Enterprise | T1036 | Masquerading | ||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[1][2][5] |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
NotPetya can use PsExec, which interacts with the |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
NotPetya creates a task to reboot the system one hour after infection.[1] |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
NotPetya determines if specific antivirus programs are running on an infected host machine.[4] |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
NotPetya uses |
Enterprise | T1569 | .002 | System Services: Service Execution |
NotPetya can use PsExec to help propagate itself across a network.[1][2] |
Enterprise | T1529 | System Shutdown/Reboot |
NotPetya will reboot the system one hour after infection.[1][4] |
|
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
NotPetya can use valid credentials with PsExec or |
Enterprise | T1047 | Windows Management Instrumentation |
NotPetya can use |
ID | Name | References |
---|---|---|
G0034 | Sandworm Team |