EternalPetya
What is NotPetya?
NotPetya, or EternalPetya as it’s sometimes referred as, was a type of ransomware variant which completely destroyed infected systems by encrypting its contents and removing the ability for anyone to recover data from the hard drive. NotPetya used EternalBlue and Mimikatz to propagate throughout a network. The use of EternalBlue is the reason for EternalPetya as an alternative name. The monetary damage is estimated to be more than $10 billion according an estimate made by the White House. [1]. This amount makes it the most expensive cyberattack ever, as of 2019.
Aliases
- EternalPetya
- ExPetr
Associated Individuals
Experts believe the NotPetya attack was planned and executed by the Russian government. One reason for this is the method of attack and who the malware would most likely infect. The Ukranian software company, Linkos Group, was targeted to distribute the malware via distribution of the M.E.Doc accounting tool.
Notable Targets
- Maersk
- Merck
- FedEx’s European subsidiary TNT Express
- French construction company Saint-Gobain
- Food producer Mondelēz
- Manufacturer Reckitt Benckiser
Tactics
NotPetya was placed on a distribution server inside the Linkos Group. Once the update or software suite was downloaded, the malware began infecting systems using the EternalBlue exploit against vulnerable systems and Mimikatz to pull credentials from those systems. The stolen credentials were used against systems that had been patched, and therefore not vulnerable to EternalBlue. In many cases, entire networks were infected and destroyed in less than a minute. Larger networks only took a couple hours before most systems were rendered useless. [1]
References
[1] - https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
[4] - https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/