NotPetya

NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][2][3][4]

ID: S0368
Associated Software: ExPetr, Diskcoder.C, GoldenEye, Petrwrap, Nyetya
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 26 March 2019
Last Modified: 23 April 2021

Associated Software Descriptions

Name Description
ExPetr

[3]

Diskcoder.C

[3]

GoldenEye

[1]

Petrwrap

[1][3]

Nyetya

[1]

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[1][2][4]

Enterprise T1210 Exploitation of Remote Services

NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.[1][2][4]

Enterprise T1083 File and Directory Discovery

NotPetya searches for files ending with dozens of different file extensions prior to encryption.[4]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

NotPetya uses wevtutil to clear the Windows event logs.[1][4]

Enterprise T1036 Masquerading

NotPetya drops PsExec with the filename dllhost.dat.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[1][2][5]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.[1][2][6]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

NotPetya creates a task to reboot the system one hour after infection.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

NotPetya determines if specific antivirus programs are running on an infected host machine.[4]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.[1]

Enterprise T1569 .002 System Services: Service Execution

NotPetya can use PsExec to help propagate itself across a network.[1][2]

Enterprise T1529 System Shutdown/Reboot

NotPetya will reboot the system one hour after infection.[1][4]

Enterprise T1078 .003 Valid Accounts: Local Accounts

NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.[1][2]

Enterprise T1047 Windows Management Instrumentation

NotPetya can use wmic to help propagate itself across a network.[1][2]

Groups That Use This Software

ID Name References
G0034 Sandworm Team

[7][4][8][9][10]

References