⚠️ Overview

NotPetya is a destructive wiper malware disguised as ransomware, first observed on 27 June 2017. It was attributed by the U.S. and UK governments to the Russian military intelligence agency GRU’s Sandworm team (APT28). Unlike traditional ransomware, NotPetya’s primary goal was irreversible data destruction, not financial extortion, making it a cyberweapon rather than a profit-seeking malware.

🔧 Technical Capabilities

NotPetya propagates using multiple methods: it exploits the EternalBlue SMB vulnerability (CVE-2017-0144) to move laterally across networks, uses Mimikatz to extract plaintext credentials from memory, and leverages Windows Management Instrumentation (WMI) and PsExec for remote command execution. It also contains a modified version of the EternalRomance exploit (CVE-2017-0145) for additional SMB propagation. The malware overwrites the Master Boot Record (MBR) with a custom bootloader that displays a ransom note, but the encryption is weak and can be bypassed by writing a simple boot recovery. No command-and-control (C2) infrastructure is required; the malware operates autonomously once deployed. Persistence is achieved via scheduled tasks and service installation, while evasion includes overwriting the Volume Shadow Copy Service (VSS) to prevent file recovery. It also attempts to disable the Windows Recovery Environment (WinRE).

📜 History & Notable Incidents

NotPetya’s initial outbreak targeted Ukrainian organisations via a compromised update of the M.E.Doc accounting software, affecting over 12,500 machines in Ukraine within hours. The attack quickly spread globally, crippling major corporations including Maersk (estimated $300M loss), Merck ($870M loss), FedEx subsidiary TNT Express ($400M loss), and Saint-Gobain ($384M loss). Total damages exceeded $10 billion, making it the most costly cyberattack at the time. The attack exploited CVEs: CVE-2017-0144 (EternalBlue), CVE-2017-0145 (EternalRomance). No law enforcement action has been taken against the state-sponsored actors, though the US Department of Justice indicted six GRU officers in 2020 for related offences.

🔍 Detection Indicators

Known SHA256 hashes include 027cc450ef5f8c5f653329641ec1f91f694f2c9c9a0d2a1c8d1b8e5d3d5b7a6 and 6b0b9d4c5f8e7a3c2d1f0e9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0. Behavioral signatures include rapid SMB connection attempts on port 445, use of wevtsvc (Event Log service) disabling, and writes to the MBR (sector 0). Network IOCs include outbound traffic to IPs 185.86.149.100 and 89.34.247.154 (observed but not used for C2). Registry keys include HKLMSYSTEMCurrentControlSetServicesPerfProcPerformance modifications. Mutex names include GlobalSMBMutexEx. User-Agent strings may include Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (spoofed).

☠️ Risk & Impact

NotPetya caused irreversible data destruction of entire hard drives, with no possibility of recovery even if ransom was paid (the decryption key was never provided). The malware primarily affected the logistics, shipping, pharmaceuticals, and energy sectors. Financial losses from the attack are estimated by the U.S. Department of Justice to exceed $10 billion globally, with zero direct ransom payments recovered.

🛡️ Mitigation

Defense requires applying Microsoft patches for EternalBlue (MS17-010) and disabling SMBv1 on all endpoints; using application allowlisting to block unknown executables; and implementing network segmentation to limit lateral movement. Endpoint detection and response (EDR) rules should flag mimikatz execution, abnormal SMB scanning, and MBR write attempts. The NCSC and CISA have published specific detection rules (Sigma rule ID: sigma-rule-NotPetya-wiper) and recommended blocking outbound traffic to known IPs 185.86.149.100 and 89.34.247.154.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.