Petya and NotPetya are ransomware strains that impacted organizations globally between 2016 and 2017. While Petya caused significant damage in 2016, a similar variant called NotPetya emerged in 2017. Although many security analysts considered it the successor to Petya, the new strain exhibited clear advancements that set it apart. As a result, it was named NotPetya.
Both ransomware strains primarily target Windows devices, encrypt files, and demand a ransom in bitcoins. While most types of ransomware encrypt critical system files, Petya and NotPetya encrypt the entire hard disk. This marked a significant breakthrough in the evolution of ransomware, making these strains even more dangerous.
How Petya ransomware works
Typically, Petya ransomware gains initial access to a network via a phishing email containing a malicious attachment. In most cases, phishing emails reach victims' inboxes, masquerading as job applications with attachments of executable PDFs disguised as résumés. Once a user clicks a PDF, a Windows User Account Control pop-up appears, warning that the file execution might make changes to the computer. If the user proceeds without suspicion, the payload is executed. Once it's executed, the following consequences occur:
- The payload primarily impacts the system's master boot record (MBR), a file stored on the hard drive that is required to load the OS.
- It encrypts the master file table (MFT), a key system file within the Windows New Technology File System (NTFS) that contains details about the files on the NTFS volume. This includes metadata such as the file’s author, creation and modification dates, size, and location, which are crucial for file retrieval.
- The computer displays a fake check disk (chkdsk) screen simulating a hard disk scan while the processes above take place in the background.
- Once the hard disk is rendered inaccessible, Petya flashes a ransom note on the screen, demanding a ransom in bitcoins in exchange for restoring access to the hard disk.
Therefore, instead of directly encrypting the files, Petya targets a part of the file system that allows the computer to access and retrieve the files. While the files remain unencrypted, the computer cannot access them. However, Petya requires administrative privileges to carry out this method of execution.
When Petya is unable to acquire administrative privileges, it launches a secondary payload called Mischa to execute the attack. Mischa is a file-encrypting payload that encrypts other files in the system except the MBR and MFT. In this case, Petya operates like any other ransomware.
How NotPetya works
While Petya gains initial access like most other ransomware strains, NotPetya enters a network by exploiting a vulnerability in the Windows SMB protocol. To do this, NotPetya leverages an exploit called EternalBlue, a legitimate tool that was developed by the United States National Security Agency and was later leaked and used by ransomware groups like WannaCry. NotPetya harvests credentials using tools like Mimikatz to escalate privileges and gain admin-level access. NotPetya then uses command-line tools like PsExec and WMIC to remotely log in to other computers in the network and spread the infection.
When it comes to encryption, NotPetya encrypts everything from critical files like the MBR to common text files. It not only renders the hard disk inaccessible but also locks the entire file system. It then displays a ransom note with a ransom demand.
NotPetya: Ransomware in disguise
Petya and NotPetya differ significantly in their execution and function. Additionally, NotPetya, unlike most ransomware, does not collect ransoms from victims in exchange for their files. It disguises itself as ransomware with a fake ransom note luring victims into the belief that they can decrypt their files by paying the ransom. However, victims soon realize that the Bitcoin wallet provided is just a random number, and there is no way to pay the ransom or retrieve their files.
This means that files impacted by NotPetya are not just encrypted but permanently lost and irrecoverable. This distinguishes NotPetya not only from Petya but also from other ransomware families, making it one of the most distinct and destructive forms of ransomware in history.
How to protect against Petya and NotPetya ransomware
By implementing the following best practices, organizations can significantly reduce the risks of a Petya or NotPetya attack.
Email filtering
Phishing emails are common vectors of ransomware that carry malicious URLs, attachments, and executables. Implement email filtering tools to flag emails with suspicious content and block them from reaching your inbox.
Identity and access management
Enhance security by implementing multi-factor authentication across all user accounts, VPN access, and application services. This additional layer of verification ensures that even if an attacker gains access to login credentials, they will still be unable to access sensitive systems.
Vulnerability testing and patching
Perform regular vulnerability scans across all network devices, software, and applications. Identify and patch any security gaps that could be exploited by ransomware.
Comprehensive risk assessments
Conduct periodic risk assessments to evaluate the security posture of all systems and users within the network. Estimating risk scores for users and entities will help you identify potential vulnerabilities and detect suspicious behavior before they escalate into a massive attack.
Data backups and encryption
Regularly back up critical data and ensure that both the original files and their backups are encrypted to protect them from unauthorized access. A strong backup strategy allows for faster recovery in the event of an attack and minimizes the impact of ransomware infections.
Employee education and awareness
The first line of defense starts with employee education. Regularly educate employees about the dangers of ransomware and the critical role they play in stopping it. Provide training on how to identify phishing emails, suspicious processes, and malicious executable files.
Related solutions
ManageEngine Log360 is a comprehensive SIEM solution with advanced ransomware detection and mitigation capabilities. Log360 stands out as one of the best ransomware protection solutions with these powerful features:
- 360-degree network visibility: Log360 provides complete visibility into your network through out-of-the-box audit reports and interactive dashboards on a single console.
- Ransomware detection: Predefined correlation rules and alert profiles for ransomware detection help you identify potential ransomware activities in real time.
- User and entity behavior analytics: With its ML-based behavior monitoring capabilities, Log360 detects anomalous activities in the network to identify potential signs of a ransomware attack.
- File monitoring: Log360's file integrity monitoring feature monitors unauthorized file access, creations, deletions, and modifications to protect sensitive data from ransomware.
- Cloud app security: Log360's CASB capabilities block suspicious websites and ban malicious applications to secure sensitive cloud data from ransomware threats.
- Ransomware incident response: The ransomware detection alert profiles include built-in incident response workflows that, when enabled, prevent the propagation of ransomware attacks.
To explore more, sign up for a personalized demo of Log360. Or, you can discover its powerful capabilities with a fully functional, 30-day, free trial.
