NotPetya Ransomware Analysis

Executive Summary

On June 27, 2017, what initially appeared to be a variant of the Petya ransomware began spreading rapidly across networks worldwide. Dubbed "NotPetya" by researchers, this malware proved to be far more destructive than typical ransomware — it was, in fact, a cyber weapon designed to cause maximum damage while masquerading as a financially motivated attack.

Initial Infection Vector

The primary infection vector was a compromised update mechanism for M.E.Doc, a Ukrainian accounting software used by approximately 80% of Ukrainian businesses. The attackers compromised the software's update server and pushed a malicious update containing the NotPetya payload.

Supply Chain Attack Details

• The M.E.Doc update server was compromised months before the attack
• A backdoor was inserted into the legitimate update package
• The malicious update (ZvitPublishedObjects.dll) contained the dropper
• Approximately 1 million computers received the compromised update

Propagation Mechanisms

NotPetya used multiple propagation techniques, making it extremely virulent:

1. EternalBlue (MS17-010)

The same SMBv1 exploit used by WannaCry, leaked from the NSA's Equation Group arsenal:

• Exploits a buffer overflow in SMBv1
• Allows remote code execution on unpatched Windows systems
• Effective against Windows XP through Windows Server 2008 R2

2. EternalRomance

A second NSA exploit targeting SMBv1:

• Different attack vector than EternalBlue
• Targets the SMB transaction handling
• Provides additional coverage for systems where EternalBlue fails

3. Windows Management Instrumentation (WMI)

NotPetya used WMI for lateral movement within networks:

wmic /node:<target> /user:<user> /password:<pass> process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1"

4. PsExec

Microsoft's legitimate remote administration tool was also used:

psexec.exe \\<target> -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\perfc.dat" #1

5. Credential Harvesting

NotPetya included a modified version of Mimikatz to extract credentials from memory, enabling authenticated lateral movement.

Encryption Analysis

MBR Overwrite

NotPetya overwrites the Master Boot Record with a custom bootloader that:

1. Displays a fake "disk repair" screen
2. Encrypts the Master File Table (MFT) using Salsa20
3. Presents a ransom note upon completion

File-Level Encryption

Individual files are encrypted using AES-128 in CBC mode:

• Files with specific extensions are targeted (.doc, .xls, .ppt, .pdf, etc.)
• The AES key is encrypted with a hardcoded RSA-2048 public key
• Critical finding: The Salsa20 key used for MFT encryption is generated randomly and then overwritten in memory, making recovery impossible

Why NotPetya Is a Wiper, Not Ransomware

Several technical indicators prove NotPetya was designed as a destructive weapon:

1. No recovery mechanism: The installation ID displayed to victims is randomly generated and has no relationship to the encryption keys
2. Key destruction: The Salsa20 key for MFT encryption is destroyed after use
3. Single payment address: All victims were directed to the same Bitcoin address, making individual decryption impossible
4. The payment email was quickly disabled: The contact email ([email protected]) was shut down by the provider within hours

Attribution

Multiple intelligence agencies and security firms attributed NotPetya to the Russian military intelligence agency (GRU), specifically Unit 74455 (Sandworm Team):

• Targeting aligned with Russian geopolitical interests (primarily Ukraine)
• Technical overlaps with previous Sandworm operations
• The U.S., UK, and EU formally attributed the attack to Russia in 2018

Impact

• Estimated damages: Over $10 billion globally
• Maersk: Lost approximately $300 million, had to replace 45,000 PCs and 4,000 servers
• Merck: $870 million in damages
• FedEx/TNT Express: $400 million
• Ukrainian infrastructure: Government agencies, banks, airports, and power companies severely affected

Lessons Learned

1. Supply chain security is critical — even trusted software updates can be weaponized
2. Network segmentation limits lateral movement
3. Patch management (EternalBlue patches were available for months before NotPetya)
4. Offline backups are essential for recovery
5. State-sponsored attacks may masquerade as criminal activity

Indicators of Compromise