Petya is a strain of ransomware that first appeared in 2016. NotPetya is a strain of malware that had many similarities to Petya but behaved differently.
After reading this article you will be able to:
Copy article link
Petya is a strain of ransomware that was first identified in 2016. Like other types of ransomware, Petya encrypts files and data on the victim's computer. The operators of Petya demand payment in Bitcoin before they will decrypt the files and make them usable again.
Unlike some older ransomware strains, which only encrypt certain important files in order to extort the victim, Petya locks up a computer's entire hard disk. Specifically, it encrypts a computer's Master File Table (MFT), making it impossible to access any files on the hard disk.
Petya has only been observed targeting computers with Windows operating systems.
Similar to many other ransomware attacks, Petya spreads mostly through email attachments. Attackers send emails to HR departments with fake job applications attached. The attached PDFs either contain an infected Dropbox link or are actually executable files in disguise — depending on the attack method used.
In June 2017, a new type of ransomware that resembled Petya in many respects infected organizations around the world. Because of its similarities to Petya, with a few crucial differences, security vendor Kaspersky dubbed it "NotPetya." NotPetya had impacted at least 2,000 organizations by June 28, 2017. The vast majority of victimized organizations were in Ukraine.
Like Petya, the NotPetya ransomware impacted the victim's whole hard disk. However, NotPetya encrypted the entire hard disk itself instead of the MFT. It spread suddenly and rapidly, and it quickly infected entire networks using various vulnerability exploits and credential theft methods.
Notably, NotPetya was observed using the same EternalBlue vulnerability (CVE-2017-0144) that the worldwide WannaCry attack had used earlier in 2017. This enabled it to spread rapidly across networks without any intervention from users — unlike Petya, which needed users to open a malicious email attachment for the infection to begin. Microsoft issued a patch for the EternalBlue vulnerability in March 2017, but many organizations had not installed the patch.
They are the same thing. Various members of the security industry had different names for this strain of malware. Names for NotPetya included Petya 2.0, ExPetr, and GoldenEye.
Unlike most ransomware, which temporarily damages or restricts access to files in exchange for a ransom, NotPetya seemed to be purely destructive. There was no way to reverse the damage it caused; essentially, it wiped files out completely with no hope of recovery.
Although it still displayed a ransom message, this tactic may only have been used to disguise the attackers' intentions. And even if NotPetya victims had wanted to pay the ransom, the message displayed a fake, randomly generated Bitcoin address. There was no way for the attackers to collect the ransom, further suggesting that the goal of NotPetya was destruction, not financial gain.
Real ransomware is not designed to completely wipe out files and data at first. Although some ransomware attackers may do this later if the ransom is not paid, wiping files and data right away does not motivate victims to pay, because there is no hope of getting their files back. The motivation for most ransomware attackers is money, not lasting damage to the victim's systems.
And while the attackers behind the 2016 Petya attacks seemed to be typical ransomware cyber criminals, in 2018 several nations announced that the Russian government was directly behind the NotPetya attacks. This suggests that the NotPetya attacks may have had political motivations.
These three steps can help make a Petya or NotPetya attack far less likely:
To learn more, see How to prevent ransomware.
Organizations can also adopt Cloudflare One. Cloudflare One is a platform that helps users securely connect to the resources they need. Using a Zero Trust security approach, Cloudflare One helps prevent and contain ransomware infections.
About Web Application Security
Learning Center Navigation