S0368 NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.2413
| Item | Value |
|---|---|
| ID | S0368 |
| Associated Names | ExPetr, Diskcoder.C, GoldenEye, Petrwrap, Nyetya |
| Type | MALWARE |
| Version | 2.0 |
| Created | 26 March 2019 |
| Last Modified | 08 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| ExPetr | 1 |
| Diskcoder.C | 1 |
| GoldenEye | 2 |
| Petrwrap | 21 |
| Nyetya | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.243 |
| enterprise | T1210 | Exploitation of Remote Services | NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.243 |
| enterprise | T1083 | File and Directory Discovery | NotPetya searches for files ending with dozens of different file extensions prior to encryption.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | NotPetya uses wevtutil to clear the Windows event logs.23 |
| enterprise | T1036 | Masquerading | NotPetya drops PsExec with the filename dllhost.dat.2 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.246 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.245 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | NotPetya creates a task to reboot the system one hour after infection.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | NotPetya determines if specific antivirus programs are running on an infected host machine.3 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.2 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | NotPetya can use PsExec to help propagate itself across a network.24 |
| enterprise | T1529 | System Shutdown/Reboot | NotPetya will reboot the system one hour after infection.23 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.003 | Local Accounts | NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.24 |
| enterprise | T1047 | Windows Management Instrumentation | NotPetya can use wmic to help propagate itself across a network.24 |
| ics | T0866 | Exploitation of Remote Services | NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. 8 |
| ics | T0867 | Lateral Tool Transfer | NotPetya can move laterally through industrial networks by means of the SMB service. 8 |
| ics | T0828 | Loss of Productivity and Revenue | NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. 7 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 93101112 |
References
-
Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. ↩↩↩↩
-
Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩↩↩↩↩↩↩↩
-
US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. ↩↩↩↩↩↩↩↩
-
Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015. ↩
-
The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. ↩
-
David Voreacos, Katherine Chinglinsky, Riley Griffin 2019, December 03 Merck Cyberattacks $1.3 Billion Question: Was It an Act of War? Retrieved. 2019/12/06 ↩
-
Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ↩↩
-
NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. ↩
-
UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. ↩
-
Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. ↩
-
Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022. ↩