What is Petya ransomware?

Petya, identified in 2016, is a form of ransomware that operates by encrypting files and data on the victim’s computer. Similar to other ransomware variants, Petya employs the tactic of demanding Bitcoin payment from the victims in exchange for decrypting the files and restoring their accessibility.

In contrast to older ransomware strains that selectively encrypt specific important files to coerce the victims, Petya takes a more extensive approach by locking the entire hard disk of the targeted computer. It achieves this by encrypting the Master File Table (MFT) of the computer, rendering all files on the hard disk inaccessible.

Petya has exclusively been observed to target computers running Windows operating systems.

How does Petya ransomware spread?

Like numerous ransomware attacks, Petya primarily propagates via email attachments. Malicious actors dispatch emails to HR departments, disguising them as job applications. The attached PDFs can either conceal an infected Dropbox link or masquerade as executable files, depending on the chosen attack technique.

What is NotPetya?

In June 2017, a global outbreak of ransomware occurred, resembling the infamous Petya malware. However, this new variant, known as “NotPetya,” exhibited distinct characteristics. Security provider Kaspersky named it NotPetya due to its similarities to Petya but with some critical differences. By June 28, 2017, NotPetya had already impacted over 2,000 organizations worldwide, predominantly in Ukraine.

Similar to Petya, NotPetya targeted the entire hard disk of its victims. However, instead of encrypting just the Master File Table (MFT), NotPetya encrypted the entire hard disk itself. It spread rapidly and unexpectedly, exploiting various vulnerabilities and employing credential theft methods to infect entire networks.

A noteworthy aspect of NotPetya was its utilization of the EternalBlue vulnerability (CVE-2017-0144), which had been previously exploited by the global WannaCry attack earlier in 2017. This allowed NotPetya to propagate swiftly across networks without any user interaction, unlike Petya, which required users to open a malicious email attachment to initiate the infection. Microsoft had released a patch for the EternalBlue vulnerability in March 2017, but many organizations had not yet installed it.

Is NotPetya different from Petya 2.0?

These two entities are identical. Different individuals within the security sector referred to this particular form of malware by various names. NotPetya was alternatively known as Petya 2.0, ExPetr, and GoldenEye.

Was NotPetya actually ransomware?

In contrast to typical ransomware, which temporarily damages or restricts file access in exchange for a ransom, NotPetya exhibited a purely destructive nature. It caused irreparable damage, completely wiping out files without any possibility of recovery.

Although it displayed a ransom message, this tactic likely served as a disguise for the attackers’ true intentions. Even if victims of NotPetya were willing to pay the ransom, the displayed message presented a fake Bitcoin address randomly generated by the attackers. Consequently, the attackers had no means of collecting the ransom, further indicating that the primary objective of NotPetya was destruction rather than financial gain.

Ordinary ransomware is not initially designed to obliterate files and data entirely. While some ransomware attackers may resort to such measures if the ransom is not paid, immediate file wiping does not incentivize victims to comply since there is no hope of file recovery. Most ransomware attackers are primarily motivated by monetary gain, rather than causing long-lasting damage to the victims’ systems.

Furthermore, unlike the perpetrators behind the 2016 Petya attacks, who appeared to be typical cybercriminals employing ransomware, several nations in 2018 publicly attributed the NotPetya attacks directly to the Russian government. This suggests that the NotPetya attacks might have been politically motivated.

How to prevent Petya and NotPetya infections

Implementing the following three measures can significantly reduce the risk of a Petya or NotPetya attack:

• Enhancing email security practices: Many Petya attacks, as well as certain NotPetya attacks, originate from infected email attachments. To mitigate this threat, organizations should employ email scanning mechanisms to detect malware, block attachments from external sources, and provide user training to discourage opening untrusted attachments.

• Regularly applying software patches: NotPetya exploited the EternalBlue vulnerability, which had a patch available months before the attacks occurred. Ransomware attacks commonly capitalize on software vulnerabilities to gain access to networks or propagate within them. Keeping software up to date and diligently patching vulnerabilities can effectively eliminate such attack vectors.

• Performing regular data backups: While backups cannot prevent ransomware infections, they play a crucial role in expediting recovery. In the event of an attack that erases files, like NotPetya, backups may be the only means to restore lost data. It is essential for organizations to maintain backup copies of important files to enable swift recovery.

For additional insights, refer to the comprehensive guide on preventing ransomware.

Moreover, organizations can consider adopting Toffs One—a robust platform that ensures secure connectivity to essential resources. Employing a Zero Trust security approach, Toffs One effectively thwarts ransomware infections and helps contain their impact.