Threat Intelligence

Massive Petya Attack: Cybercrime or Information Warfare?

Pierluigi Paganini
July 3, 2017 by
Pierluigi Paganini

Hits organizations in several states

Just five weeks after the WannaCry massive attack, a new wave of ransomware-bases attack hit targets in various countries worldwide.

Like WannaCry massive attack, security experts are facing a new threat that is rapidly spreading. At the time of the attack, only a small portion of antivirus was able to detect the threat, according to VirusTotal, only 15 out of 61 anti-virus services can identify the new Petya variant (so-called Petwrap, NoTPetya).

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Once again, a ransomware rapidly spread infecting over 12,000 devices in around 65 countries. NotPetya infected computers systems in various industries, including banks, power suppliers, telcos, energy and businesses in Russia, Ukraine, Europe, US, and India.

A few hours after the attack, Kaspersky Lab estimated at least 2,000 targets were infected, mostly in Russia and the Ukraine, but attacks were registered in several other countries, including Italy, Germany, the U.K., and China.

Figure 1-Kaspersky telemetry on Petya ransomware

The attack leveraged the Petwrap ransomware, aka NotPetya, that is a variant of the notorious Petya ransomware that was encrypting files demanding $300 in bitcoins to the victims.

Unlike other ransomware, Petya does not encrypt files on the infected systems. Instead, it encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable.

Petya locks the access to the users' data by encrypting the master file table (MFT) and replaces the computer's MBR with its own malicious code that displays the ransom note. Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will be impossible to load the OS, even in Safe Mode.

Petwrap, like WannaCry, exploits the Windows SMBv1 vulnerability to spread, the security researcher Matt Suiche, founder of cyber security firm Comae Technologies, was among the first to observe that NotPetya was exploiting the EternalBlue NSA exploit and the accompanying DoublePulsar rootkit.

Figure 2 - Matt Suiche confirmed that NotPetya exploits the EternalBlue NSA exploit

The analysis conducted by experts revealed that Petwrap also used other tricks to spread inside target networks.

According to the experts at Russian security firm Group-IB, the malware leverages a tool called "LSADump," which can be used to collect login credentials from Windows computers and domain controllers on the network.

Below the ransom note that was displayed by the new variant of the Petya ransomware:

"If you see this text, then your files are no longer accessible because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

Figure 3 - NotPetya ransom note

Most of the infections in the initial phase of the massive attack were reported in Ukraine, the National Bank of Ukraine (NBU) and Ukrainian state electricity suppliers, "Kyivenergo" and "Ukrenergo," were targeted by the malware. At least three Ukrainian telecommunication operators, LifeCell, Kyivstar, Ukrtelecom, have also reported Petwrap ransomware infections.

Ukraine's Security Service (SBU) immediately launched the alarm fearing a possible state-sponsored attack.

"We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on," Kyivenergo's press service said.

The number of systems in Ukraine infected by NotPetya rapidly increased, the Ukrainian branch's mining company Evraz also confirmed the infections along with the Ukraine's local metro, and Kiev's Boryspil Airport.

Figure 4 - Ukraine's local metro system infected by Petya

The ransomware also infected systems at Russian state-owned oil company Rosneft, and the giant logistic company Maersk has also suffered problems due to the attack.

The malware targeted businesses in the US such as the global law firm DLA Piper that experienced severe issues at its systems.

What is the attackers' motivation?

According to many security experts, the attack presents various anomalies that led the experts into believing that hackers operated for sabotage.

According to Nicholas Weaver, a security researcher at the International Computer Science Institute Petya has been designed to be destructive while masquerading as a ransomware malware.

Weaver highlighted numerous anomalies in the ransomware-based attack, such as the use of a single Bitcoin address for every victim and the fact that the Petwrap operators urge victims to communicate with them via an email address, while most of the ransomware require victims to use Tor for communications.

"I'm willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware," states the Weaver's comment published by Brian Krebs said. "The best way to put it is that Petya's payment infrastructure is a fecal theater."

Further analysis conducted by Comae Technologies revealed the NotPetya ransomware was designed to look like ransomware, but in reality, it was a wiper malware designed for sabotage purpose.

Researchers Matt Suiche, the founder at Comae Technologies, explained that the analysis conducted by his team on Petya samples used in the attack revealed its wiper capabilities.

"We noticed that the current implementation that massively infected multiple entities in Ukraine was, in fact, a wiper which just trashed the 24 first sector blocks of the disk while replicating itself. Some noted that this was mainly slack space as only the first sector is relevant for most of the machines — except few exceptions," states the analysis published by Comae Technologies.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCryincidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon."

Figure 5 - Comparison between various Petya samples

Attackers might have used a diversionary strategy hide a state-sponsored attack on Ukraine critical infrastructure.

Researchers from Kaspersky's that analyzed the malware also believe the malware was developed to destroy the target systems.

We have explained that unlike other ransomware, Petya does not encrypt files on the infected systems but targets the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable.

Experts from Kaspersky Lab that have analyzed the encryption routine discovered that the threat actors need the installation ID to decrypt the files, but the NotPetya does not have it.

The email account set-up by the hackers to communicate with victims and send decryption keys was blocked by the German mail provider Posteo after the outbreak.

"According to an update seen in Motherboard, German e-mail provider Posteo has shut down the e-mail address that victims were supposed to use to contact blackmailers and send bitcoins, and from which they would receive decryption keys. With the e-mail address blocked, victims won't be able to pay the criminals or get their files back. At Kaspersky Lab, we do not advocate paying the ransom anyway, but in this case, it's certainly pointless," states a blog post published by Kaspersky.

"Kaspersky Lab researchers have analyzed the high-level code of the encryption routine and determined that after disk encryption, the threat actor could not decrypt victims' disks. To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery.

"ExPetr (aka NotPetya) does not have that installation ID (the 'installation key' shown in the ExPetr ransom note is just a random gibberish), which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data."

"The underlying motive appears to be aimed at wreaking the maximum amount of disruption in Ukrainian infrastructure, while merely operating under the guise of ransomware," said Tyler Moffitt, a senior threat research analyst with cyber-security firm Webroot, in a blog post.

"This suspicion is supported by the absence of a payment portal or functional email address to deliver the ransom payment."

Researchers from Cisco Talos Intelligence and Microsoft confirmed the infection started in Ukraine, where local firm named MeDoc was targeted by hackers. The experts discovered the attackers infected software update to a Ukrainian tax accounting system called MeDoc, but MeDoc denies the allegations.

"At the time of updating the program, the system could not be infected with the virus directly from the update file," translated version of MeDoc post reads. "We can argue that users of the MEDoc system cannot infect their PC with viruses at the time of updating the program."

However, several security researchers and even Microsoft agreed with Talo's finding, saying MeDoc was breached and the virus was spread via updates.

"Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine's own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process," states Microsoft.

According to Microsoft, the new Petya variant implements multiple lateral movement techniques to compromise entire networks once infected the first machine.

The ransomware spreading functionality is composed of multiple methods responsible for:

  • stealing credentials or re-using existing active sessions
  • using file-shares to transfer the malicious file across machines on the same network
  • using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

Ukraine secret service announces a joint investigation with Europol, FBI, and NCA

A few days after the attack, Ukrainian authorities called for support in the investigation from European and US intelligence and law enforcement agencies.

The Ukrainian security service SBU announced the international co-operation Europol, the FBI, and England's National Crime Agency to investigate the incident and identify offenders.

The SBU defined the massive attack an "act of cyberterrorism," it urges a joint investigation to track the threat actors.

"The SBU specialists in cooperation with the experts of FBI USA, NCA of Great Britain, Europol and also leading cyber security institutions, conduct coordinated joint events on localization of damaging software PetyaA distribution, final definition of methods of this act of cyberterrorism, establishing of the attack sources, its executors, organizers, and paymasters," states the announcement from the SBU. "Currently the mechanisms of virus program distribution, its activation and operation algorithms are already identified. At the same time, the work on the search of possibilities for data decoding and groundwork of guidelines for prevention of virus distribution, neutralization of other negative consequences of this emergency is in the process."

The analysis conducted by many security firms suggests that Ukraine was a possible target of the attack.

Researchers from F-Secure shared interesting hints from their investigation, they believe the Petya massive attack was well-implemented, but it is still impossible to attribute it to a state actor.

"How does it compare to WannaCry (which also used these exploits)?

"WannaCry clearly picked these exploits up after the Shadow Brokers dumped them into the public domain in April. Also, WannaCry didn't do the best job at implementing these exploits correctly.

"By comparison, this 'Petya' looks well-implemented and seems to have seen plenty of testing. It's fully-baked."

"But are you still skeptical about this malware being "nation state"?"

"Less and less so. We don't think any current attribution is rock solid (attribution never really is). We feel this is definitely worth deeper investigation. And more pizza.

We've changed our minds on some of our earlier conclusions. Please note this if you're reading any previous F-Secure analysis. And, of course, this is subject to further revision, as new facts come to light."

One of the main mysteries behind the massive attack is why the author of the malware failed to add proper decryption functionality to the MBR lock screen. It is not clear if it is an intentional choice or a clamorous mistake.

NATO attributed the massive NotPetya attack to a 'state actor,'

According to NATO, the massive attack based on NotPetya ransomware was powered by a "state actor." The analysis conducted by various groups of experts confirms the malware was developed to look like ransomware while it was wiping targets. Researchers from NATO believe the attack was likely launched by a nation-state actor, or it was commissioned to a non-state actor by a state.

Hackers might have used a diversionary strategy hide a state-sponsored attack on Ukraine critical infrastructure.

According to NATO, the attack was very complex and expensive, the hackers were well funded and operated to destroy the targets.

The experts observed that despite the operation was complex; the attackers did not spend much effort for managing the payments, a circumstance that suggests hackers were not financially motivated.

"The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation," NATO's Cooperative Cyber Defense Centre of Excellence (CCD COE), said in a press release on Friday.

This declaration could have serious consequences, the cyber attack could be interpreted as an act of war, and can trigger a military response of the alliance under the Article 5 of the North Atlantic Treaty, the principle of collective defense.

"The global outbreak of NotPetya malware on 27 June 2017 hitting multiple organizations in Ukraine, Europe, US and possibly Russia can most likely be attributed to a state actor, concluded a group of NATO CCD COE researchers Bernhards Blumbergs, Tomáš Minárik, LTC Kris van der Meij and Lauri Lindström. Analysis of both recent large-scale campaigns WannaCry and NotPetya raises questions about possible response options of affected states and the international community," wrote Tomáš Minárik, a researcher at NATO's CCD COE law branch.

"As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures."

Despite the WannaCry attack and the NotPetya one present many similarities, according to the NATO researchers, they were conducted by different threat actors.

"As the extortion of money seems to be just a negligently prepared cover according to various news then the question about the motivation behind NotPetya attack should be looked from other perspectives. Even though the same vulnerability was used by WannaCry, the actors behind these two similar attacks are likely not the same. In both cases, a possible financial gain for attackers has been more than modest. However, an effect was achieved, a large-scale successful disruptive attack almost globally is almost identical in both cases," continues the NATO release.

"NotPetya is a sign that after WannaCry, yet another actor has exploited vulnerability exposed by the Shadow Brokers. Furthermore, it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power – demonstration of the acquired disruptive capability and readiness to use it," concluded Lauri Lindström, a researcher at NATO CCD COE Strategy Branch.

WannaCry and NotPetya raise again the question about the possible response options of the international community and the necessity of norms of state behavior in the cyberspace.

Both arguments were discussed at the recent Italy G7 Summit, with my colleagues at the G7 cyber group we proposed a set of norms of state behavior to address these problems. The result was a voluntary, non-binding norms of State behavior during peacetime in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.

NATO calls for a special joint investigation to attribute the attack to a specific actor and persecute it.

"WannaCry and NotPetya raise the question about the possible response options of the international community again.  The number of affected countries shows that attackers are not intimidated by a possible global level investigation in response to their attacks. This might be an opportunity for victim nations to demonstrate the contrary by launching a special joint investigation," concludes the press release.

How to stop Petya?

When a computer is infected with Petya, it will automatically attempt to reboot to encrypt the hard drive's Master Boot Record. To block the malware, it is necessary to halt the reboot and keep the PC running. Another way to immunize the machine consists of creating a read-only file "perfc" and placing it inside the Windows directory.

"If you're lucky, Petya worm might see that file and will not encrypt your machine, BUT, it will continue to spread to other machines on the same network," reads the analysis published PureVPN.

The US-CERT published an alert related to the last wave of attack; it confirmed it had received multiple reports of Petya ransomware infections related the recent massive attack.

The scope of this Alert's analysis is limited to the newest "Petya" variant that surfaced June 27, 2017, and this malware is referred to as "Petya" throughout this Alert." states the alert.

"Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). "

"The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional IOCs in comma-separated-value form for information sharing purposes."

Available Files:

The US-CERT suggests organizations following its best practices related to SMB, such as:

  • Disabling SMBv1
  • Blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

"US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices," the agency states. "The benefits of mitigation should be weighed against potential disruptions to users."

Below the complete list of recommended steps for prevention that was included in the alert:

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5](link is external)
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to conduct regular scans automatically.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
  • Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
  • Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
  • Test your backups to ensure they work correctly upon use.
  • Utilize host-based firewalls and block workstation-to-workstation communications.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.