What are Petya and NotPetya?

Petya is a strain of ransomware that first appeared in 2016. NotPetya is a strain of malware that had many similarities to Petya but behaved differently.

Learning Objectives

After reading this article you will be able to:

  • Define Petya ransomware
  • Describe the differences between Petya and NotPetya
  • Learn how to prevent Petya and NotPetya infections

Copy article link

What is Petya ransomware?

Petya is a strain of ransomware that was first identified in 2016. Like other types of ransomware, Petya encrypts files and data on the victim's computer. The operators of Petya demand payment in Bitcoin before they will decrypt the files and make them usable again.

Unlike some older ransomware strains, which only encrypt certain important files in order to extort the victim, Petya locks up a computer's entire hard disk. Specifically, it encrypts a computer's Master File Table (MFT), making it impossible to access any files on the hard disk.

Petya has only been observed targeting computers with Windows operating systems.

How does Petya ransomware spread?

Similar to many other ransomware attacks, Petya spreads mostly through email attachments. Attackers send emails to HR departments with fake job applications attached. The attached PDFs either contain an infected Dropbox link or are actually executable files in disguise — depending on the attack method used.

What is NotPetya?

In June 2017, a new type of ransomware that resembled Petya in many respects infected organizations around the world. Because of its similarities to Petya, with a few crucial differences, security vendor Kaspersky dubbed it "NotPetya." NotPetya had impacted at least 2,000 organizations by June 28, 2017. The vast majority of victimized organizations were in Ukraine.

Like Petya, the NotPetya ransomware impacted the victim's whole hard disk. However, NotPetya encrypted the entire hard disk itself instead of the MFT. It spread suddenly and rapidly, and it quickly infected entire networks using various vulnerability exploits and credential theft methods.

Notably, NotPetya was observed using the same EternalBlue vulnerability (CVE-2017-0144) that the worldwide WannaCry attack had used earlier in 2017. This enabled it to spread rapidly across networks without any intervention from users — unlike Petya, which needed users to open a malicious email attachment for the infection to begin. Microsoft issued a patch for the EternalBlue vulnerability in March 2017, but many organizations had not installed the patch.

Is NotPetya different from Petya 2.0?

They are the same thing. Various members of the security industry had different names for this strain of malware. Names for NotPetya included Petya 2.0, ExPetr, and GoldenEye.

Was NotPetya actually ransomware?

Unlike most ransomware, which temporarily damages or restricts access to files in exchange for a ransom, NotPetya seemed to be purely destructive. There was no way to reverse the damage it caused; essentially, it wiped files out completely with no hope of recovery.

Although it still displayed a ransom message, this tactic may only have been used to disguise the attackers' intentions. And even if NotPetya victims had wanted to pay the ransom, the message displayed a fake, randomly generated Bitcoin address. There was no way for the attackers to collect the ransom, further suggesting that the goal of NotPetya was destruction, not financial gain.

Real ransomware is not designed to completely wipe out files and data at first. Although some ransomware attackers may do this later if the ransom is not paid, wiping files and data right away does not motivate victims to pay, because there is no hope of getting their files back. The motivation for most ransomware attackers is money, not lasting damage to the victim's systems.

And while the attackers behind the 2016 Petya attacks seemed to be typical ransomware cyber criminals, in 2018 several nations announced that the Russian government was directly behind the NotPetya attacks. This suggests that the NotPetya attacks may have had political motivations.

How to prevent Petya and NotPetya infections

These three steps can help make a Petya or NotPetya attack far less likely:

  • Strengthening email security practices: Most Petya attacks, and some NotPetya attacks, started with an infected email attachment. To prevent this, organizations can scan emails for malware, block email attachments from external sources, and train users to avoid opening untrusted attachments.
  • Regularly patching vulnerabilities: The EternalBlue exploit used by NotPetya had an available patch months before the attacks took place. Ransomware attacks in general often exploit software vulnerabilities to either enter a network or move laterally within it. Updating software and patching vulnerabilities can help eliminate these attack vectors.
  • Backing up files and data: Keeping backup copies of important files does not prevent ransomware infections, but it does help an organization recover more quickly from one. In the case of an attack that wipes out files like NotPetya, this may in fact be the only way to get the files back.

To learn more, see How to prevent ransomware.

Organizations can also adopt Cloudflare One. Cloudflare One is a platform that helps users securely connect to the resources they need. Using a Zero Trust security approach, Cloudflare One helps prevent and contain ransomware infections.