What is NotPetya ransomware and how to protect against it

NotPetya ransomware is one of the most famous virus attack campaigns in history. The system has been used to cause havoc in entire nations, weakening those countries and making them vulnerable to attack.

It is a common mistake to label NotPetya ransomware. The system was never meant to generate income. It does not have a mechanism to restore an attacked system, which makes it a wiper.

The controller of NotPetya was Russian military intelligence, the GRU. The system was used as an advanced attack mechanism and was activated against Ukraine in 2017.

What is ransomware?

Ransomware is a category of computer viruses. The purpose of this system is to disable a computer reversibly. Then, the victim is offered a solution to restore the computer to its original state for payment. This is how the creators of ransomware make an income.

An essential function of ransomware is that the hacker needs to keep anonymous. The creation of Bitcoin made it possible for hackers to extort payments without being traced. Although there are now many cryptocurrencies available, Bitcoin is still the most well-known, and it is the currency most frequently used by ransomware hackers.

There are several actions that ransomware can implement. This can be locking the screen or encrypting files so that they cannot be accessed. As ransomware aims to extract money from the victim, a complete shutdown of the computer is not a good idea, so screen-locking systems are not that common. Encryption ransomware can be tailored so that the computer still functions. This is important because it is easier to get a payment from people who are still on the computer that has been infected. If the user is forced to switch to a different device, maintaining contact is not so easy.

Delivery systems for ransomware can be used for other purposes to improve the profitability of the attack. It takes a lot of work to get a working ransomware package up and running. These systems require a series of modules, which all cost money to either develop or buy. The success rate of ransomware attacks is low due to cybersecurity systems and public awareness of typical malware ingress methods. Therefore, it can take a lot of work just to get to the point of infecting one computer. Being able to load on other malware while the delivery system is active helps with cost recovery.

The creation of NotPetya

The name NotPetya was not given to this attack system by its creators. Instead, it is a name that was allocated to the virus by cybersecurity analysts. NotPetya first appeared in June 2017. Analysts thought that they recognized the program as a variant on a ransomware system called Petya.

The original Petya was launched in March 2016 and was refined three times in its short life. First, the hacker group that created and managed Petya offered it for use by others for a fee in a Ransomware-as-a-Service toolkit. That hacker group was called Janus Cybercrime Solutions, which was based in Russia. Second, the group closed down Petya, which was then known as Goldeneye, at the end of 2016.

Around early 2017, the GRU, Russia’s military intelligence agency, was looking for tools to use in its “hybrid warfare” plans. This military strategy uses cyberattacks to weaken an opponent, making them easier to defeat before rolling in any military equipment. A little investment in cyberattacks costs a lot less than tanks, guns, and personnel training.

The GRU commissioned the state-linked hacker group, Sandworm. With a short production time available, Sandworm decided to steal the code from someone else rather than develop its system. It picked the Goldeneye system, which was also known as Petya. The Petya ransomware package includes two attacks. One of these systems, the original Petya, encrypts the file system’s management structures rather than the actual files. This method was innovative when Petya was first created.

When the Sandworm attack system was first released, antimalware analysts and state security agencies immediately recognized the Petya code of the downloaded virus. However, as Petya had already gone through four versions, analysts first thought that this was a newly developed edition of Petya from Janus Cybercrime Solutions.

Analysts gave this virus a name to distinguish it from known Petya versions. It was called EternalPetya by some analysts and ExPetya by others. Kaspersky Labs came up with the name NotPetya when its research uncovered that this system was not produced by Janus Cybercrime Solutions and was a different virus.

Similarities with Petya

To an analyst, NotPetya is a derivative of Petya. The Petya ransomware gets into a system through an infected PDF or XLS file that contains the installer code. This file is delivered as an attachment to a phishing email.

Petya first encrypts all files on the infected device that have an extension that is on a hitlist. This is a flexible module because the list of file types to be attacked can be altered easily. Once the listed file types on the device have been encrypted, a low-level attack is launched. This is the core Petya process, and it overwrites the Master Boot Record (MBR) and then encrypts the Master File Table (MFT). It is the encryption of the MFT that renders all files inaccessible. Petya waits one hour after the initial infection before triggering the low-level attacks.

The Individual file encryption performed by the Mischa process of Petya uses RSA and AES ciphers, and the MFT encrypted is performed with the Salsa20 cipher.

All of the above activities are built into NotPetya, taken directly from the Petya code.

Distinctive features of NotPetya

The most striking feature of the NotPetya ransomware is that it isn’t ransomware. The developers had no intention of ever delivering a decryption key. Petya generates a new encryption key for each attack within the processes of the downloaded ransomware program. It simultaneously generates a unique ID for each infection. When the victim wants to pay, this ID must be typed into the payment website and enables the decryption key for that attack to be extracted from a database. Sandworm removed this routine from the code; this means that there is no way for the NotPetya system to deliver a decryption key.

One difference from Petya is the wrapper or delivery system used for NotPetya. This is the EternalBlue system, which exploits a loophole in the Windows operating system that involves the Server Message Block (SMB). This communication method over local networks and NotPetya use this system to spread to other computers. This is the reason that some analysts called NotPetya EternalPetya.

The NotPetya launch

As it permanently renders the boot sector and file management system of a computer inoperative, NotPetya is a “wiper” and not ransomware. Once the NotPetya attack campaign began in June 2017, Janus Cybercrime Solutions offered to help find a remediation strategy for the virus, making it clear that they were not responsible. Unfortunately, the group published the master key for Petya, which no one could do work to reverse the NotPetya encryption.

NotPetya spread very quickly during the last week of June 2017 throughout Ukraine. Targets for the virus included government offices, public institutions, public utilities, supermarkets, businesses, and banks. It even infected computers monitoring the radiation statuses at the Chernobyl destroyed nuclear reactor site.

The majority of all NotPetya attacks, about 80 percent, hit computers in Ukraine. However, businesses outside of Ukraine were also hit, probably to cover up the virus’s true purpose. Those businesses include Rosneft in Russia and Danish shipping company Maersk. In addition, attacks occurred in the USA, the UK, Germany, France, and Poland. However, nowhere was the attack campaign as intense as it was in Ukraine.

The NotPetya system puts up demand for payment in Bitcoin to the value of roughly $300. However, it never delivers a decryption key. Furthermore, the email address given for contact to recover was defunct. Therefore, NotPetya is masquerading as ransomware.

The best defense against NotPetya

The SMB exploit has been shut down by Microsoft. The company issued a patch to protected existing copies of Windows, and all shipments of Windows since the discovery of EternalBlue are protected against it. So, if you bought a computer with the Windows operating system in 2017, you don’t have to worry about the lateral movement of NotPetya.

NotPetya ransomware is no longer circulating, and any antivirus that you can buy these days will spot it and block it as soon as it tries to download onto your computer. Although NotPetya is no longer a threat, its commissioners and creators are still in operation and still developing destructive cyberwarfare tools to destabilize the world. Some hacker groups are supported by hostile governments and are constantly evolving ransomware and other malware.

It is essential to educate users about phishing emails and explain to them not to download attachments or follow links on emails. It is also necessary to run a patch manager, a vulnerability manager, and a configuration manager to keep your system up to date and hardened against hacker activity.

It should go without saying that you need to institute secure data backup procedures and install antivirus systems on your endpoints.

The best tools for defense against NotPetya ransomware

The desktops and mobile devices connected to your network are the main entry points for ransomware. Therefore, you need to ensure that each device has an operational antivirus system installed on it. That AV needs to cope with any security event that might occur, not just those viruses and ransomware systems that are already known. Here are two excellent system security packages that you should consider.

1. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is a coordinated package of next-generation antivirus services and threat detection. The system is controlled by a cloud-based threat detection system partnered with CrowdStrike Falcon Prevent installed on all the endpoints of a network.

Key Features:

  • Multi-level threat hunting
  • Isolates infected devices
  • Local threat detection
  • Central coordinator
  • SIEM tool

Why do we recommend it?

CrowdStrike Falcon Insight is a multi-level cybersecurity solution that combines on-device anti-virus with a cloud-based coordinator. The local unit is able to operate independently, even when the device is isolated from the network. It uses anomaly detection, so it doesn’t need a signature database. The cloud component gets a global intelligence feed to heighten the awareness of attack strategies.

Falcon Prevent ensures that protection continues even if the devices are disconnected from the network. The central Insight module gathers threat intelligence and searches through status reports uploaded by the Falcon Prevent instances.

The Falcon system can spot malware, like the NotPetya ransomware, even if that virus has never been encountered anywhere before. This is because the AV searches for strange behavior rather than specific files. The central console allows the systems administrator to set up automated responses to threats, such as isolating the device from the network and shutting down a user account.

Who is it recommended for?

The central unit adds an extra layer of threat hunting and it also warns all devices on a network when one is attacked. The local unit can also disconnect the device from the network to prevent lateral movement. This solution is a little too expensive for small businesses but it is ideal for mid-sized and large enterprises.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Lightweight agents take up little system resources


  • Would benefit from a longer trial period

By getting information feeds on activity from all endpoints, the Falcon system can protect the network and identify insider threats and intrusion, and viruses. In addition, you can get a 15-day free trial of Falcon Prevent.

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is designed to protect sensitive data and all business data files. This means it is a perfect option for protecting against ransomware, which aims to corrupt all of those files. The data privacy measures in this package are suitable for companies following the PCI DSS, HIPAA, and GDPR standards. The system also includes a data discovery service and a sensitive data classifier.

Key Features:

  • Protection for Windows
  • File containerization
  • Blocks all programs from running
  • Allows trusted applications

Why do we recommend it?

ManageEngine DataSecurity Plus is a bundle of four modules. These focus on data discovery and file protection for sensitive data. However, the functions in the package are also ideal for ransomware detection. The key element to spot and block ransomware is its file integrity monitor (FIM).

The DataSecurity Plus system protects computers running Windows, which are all targets for malware like Petya ransomware. This is an onsite software package that installs on Windows Server.

One of the essential features of the DataSecurity Plus Package is a file integrity monitor (FIM). This catches unauthorized changes to files, raising alerts. In addition, the system can be set up to implement automated responses in an alteration to any file.

Who is it recommended for?

Businesses that manage personally identifiable information (PII) are the most likely to buy this package. The system offers good value for money because it provides multiple services in addition to sensitive data management and ransomware protection, which include compliance management, USB device controls, and Web access controls.


  • Provides a detailed account of file access, allowing sysadmin to understand the context of the file change
  • The platform can track access trends over time, allowing for better malicious behavior detection
  • Supports built-in compliance reporting for popular standards such as HIPAA, PCI DSS, and FISMA
  • Can integrate with numerous helpdesk solutions, notification platforms, and backup systems


  • Requires a sizable time investment to fully explore all the platforms features and tools

DataSecurity Plus is available for a 30-day free trial.

NotPetya Ransomware FAQs

Was NotPetya a ransomware?

Not Petya was a Russian cyberattack system that launched in June 2017. It got its name from an earlier ransomware system, called Petya, or which it was an adaptation. While Petya was ransomware and NotPetya acted like ransomware, that second malware was, in fact, a wiper because it had no mechanism to reverse its encryption. The purpose of NotPetya was to damage the systems it attacked and not to raise money. It was an attack weapon disguised as ransomware.

Why was NotPetya not ransomware?

NotPetya follows all of the processes of the Petya ransomware by encrypting files and low-level Windows components. While Petya maintained a database of encryption keys that enabled paying victims to reverse the ransomware’s work, Not Petya didn’t bother with that mechanism and didn’t even give victims a valid email to contact to negotiate. Thus, NotPeyta was not ransomware, but a state-run hybrid warfare tool that masqueraded as ransomware. NotPetya was commissioned by Russia’s GRU to attack Ukraine.

What did NotPetya do?

NotPetya implemented encryption on two levels in a strategy that was taken directly from the Petya ransomware. These were:

  1. Encryption of all files on an infected computer with file extensions that were on a given list.
  2. Overwriting the Master Boot Record (MBR) and then encrypting the Master File Table (MFT).

Not Petya was not reversible and its purpose was to damage target computers, not to make money from ransom payments.