Skip to content

S0368 NotPetya

NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.1234

Item Value
ID S0368
Associated Names ExPetr, Diskcoder.C, GoldenEye, Petrwrap, Nyetya
Version 2.0
Created 26 March 2019
Last Modified 23 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
ExPetr 3
Diskcoder.C 3
GoldenEye 1
Petrwrap 13
Nyetya 1

Techniques Used

Domain ID Name Use
enterprise T1486 Data Encrypted for Impact NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.124
enterprise T1210 Exploitation of Remote Services NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.124
enterprise T1083 File and Directory Discovery NotPetya searches for files ending with dozens of different file extensions prior to encryption.4
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs NotPetya uses wevtutil to clear the Windows event logs.14
enterprise T1036 Masquerading NotPetya drops PsExec with the filename dllhost.dat.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.126
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.125
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task NotPetya creates a task to reboot the system one hour after infection.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery NotPetya determines if specific antivirus programs are running on an infected host machine.4
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution NotPetya can use PsExec to help propagate itself across a network.12
enterprise T1529 System Shutdown/Reboot NotPetya will reboot the system one hour after infection.14
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.12
enterprise T1047 Windows Management Instrumentation NotPetya can use wmic to help propagate itself across a network.12

Groups That Use This Software

ID Name References
G0034 Sandworm Team 748910


Back to top