5 years after NotPetya: Lessons learned

NotPetya vastly broadened the scope of damage that malware attacks could do and forced CISOs and security researchers to rethink their approach.

On June 27, 2017, the eve of Ukraine’s Constitution Day holiday, a major global cyber attack was launched, infecting more than 80 companies in that country using a brand-new cyber pathogen that became known as NotPetya

NotPetya didn't stay within Ukraine's borders but spilled out to infect and cause havoc for thousands of organisations across Europe and worldwide.

NotPetya was so named because it was similar to but different from Petya, a self-propagating ransomware virus discovered in 2016 that, unlike other nascent forms of ransomware at the time, was incapable of being decrypted. In another departure from the earlier forms of ransomware, Petya also overwrote and encrypted master boot records and was, therefore, considered more a form of wiper malware than bona fide ransomware.

Phony ransomware that propagated easily

Like Petya, its successor NotPetya was not actual ransomware because it could not be decrypted, with the attackers masquerading behind a fake $300 ransom demand to provide cover for what turned out to be its actual destructive purposes. 

NotPetya emerged five weeks after another dangerous piece of fake ransomware, WannaCry. Considered to be a true "cyberweapon," NotPetya shared with WannaCry the use of EternalBlue, a cyber tool developed by and stolen from the U.S. National Security Agency (NSA).

Using Eternal Blue, NotPetya exploited a vulnerability in Windows' Server Message Block (SMB) protocol, a flaw that Microsoft patched months earlier in Windows 10. Nonetheless, all it took for the malware to spread was a single unpatched Windows 10 computer or a PC with an old version of Windows within an organisation. 

Working in tandem with EternalBlue was another powerful tool, an old security researcher tool called Mimikatz that could pull passwords out of memory. The two tools together allowed the attack to move from machine to machine.

Highly contagious malware from Russia's GRU

Although some experts considered NotPetya a variant of Petya, the two pieces of malware are generally regarded as separate and distinct, particularly considering how they propagate. NotPetya was far more contagious than Petya, seemingly with no way to stop it from quickly spreading from one host to another.

As NotPetya expert and journalist Andy Greenberg documented, NotPetya crippled shipping giant Maersk, pharmaceutical company Merck, Fedex's European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser. 

Altogether the malware caused more than $10 billion worth of global damage. The source of NotPetya was a group of Russian GRU agents known as Sandworm or Unit 74455, believed to be behind a 2015 cyber attack on the Ukrainian power grid, among other damaging cyber incidents.

CSO asked two experts who grappled with the fallout of NotPetya five years ago how they view the 2017 cyber attack in retrospect and what corollaries it might hold for the present-day war by Russia against Ukraine.

Ransomware as a weapon of war

Amit Serper, who was a principal security researcher at Cybereason when NotPetya struck and is now the director of security research at Sternum, was the first person to develop a workaround that disabled NotPetya. 

Serper tells CSO that looking back, "Ransomware was just starting to get prevalent. Ransomware was mostly targeting ordinary people. It wasn't targeting big companies or corporations like it is today. So, we would hear about how some ordinary Joe or Jane got their entire machine encrypted. I remember examples of elderly people losing access to their grandkids’ photos and that kind of stuff."

After WannaCry and NotPetya hit, ransomware turned from something used opportunistically by cybercriminals, like a "drive-by exploitation," Serper says, to "almost a weapon of war where nation-state actors would use ransomware as a tool to keep other big and meaningful organisations and countries from working. So NotPetya and WannaCry were a watershed moment back then."

Both viruses made the world more complicated. Cyber security vendors had until that point focused on abstract theoretical security problems, Serper says, but suddenly had to grapple with the profound misuse of simple technologies such as encryption and decryption for geopolitical leverage.

"We needed to come down to earth a little bit and take care of that problem before we look at completely theoretical or more theoretical and harder to implement threats. It's not about hacking Coca-Cola and stealing the secret recipe anymore. It's about a company like Coca-Cola finding itself in the middle of an international geopolitical skirmish and having their stuff rendered completely useless as this sort of collateral damage."

On a personal level, NotPetya marked a significant turning point in Serper's life. "It affected my life in a very, very direct way. It's the reason I got my green card to live in the U.S."

Serper's attorney built his application for a so-called Einstein visa mostly around NotPetya. 

"I don't have a high school diploma. I don't have an academic degree. So, it was very hard to prove that I knew what I was talking about. A huge portion of our immigration case was my contribution to preventing NotPetya from happening. It worked, and it worked during the previous administration where immigrants weren't really a thing of interest," Serper says.

NotPetya changed the consciousness of CISOs

Adam Flatley is currently the director of threat intelligence at an unnamed company but was the director of operations at Cisco Talos during NotPetya, when his team was one of the first to discover the event. "I believe that the NotPetya event has changed the consciousness of a lot of CISOs and CSOs around the world," he tells CSO.

NotPetya taught CISOs what could happen if they don't correctly segment their networks.

"If you look at what happened with NotPetya, you see that the [malware] had an unconstrained propagation mechanism that would go as far and wide as it could," Flatley says. "When they unleashed in Ukraine, all these companies that had network connections in Ukraine with flat networks were decimated by that attack."

The current conflict in Ukraine evokes for Flatley what happened with NotPetya. "When the beginning of the war was starting, there was a lot of talk about how the Russians would be using either ransomware or wipers to attack Ukraine. That immediately triggered that memory of what happened the last time. 

Then as the war began to go forward, there was lots of evidence of wipers being used in Ukraine," he says. "Again, the fear that it was going to spread out of the country. Luckily, so far [the Russians] have been using very conservative settings on their wipers."

However, Flatley says that the prospect of a NotPetya-type event emanating from the current conflict is still very real. "It's interesting that the Russians are being a little more careful this time with their cyber attacks, but that's only constrained by their desire to be careful. The technology is still there for them to easily change the setting and let it loose if they wanted to."