NotPetya
NotPetya, also referred to as Nyetya, ExPetr, PetrWrap, Petna, and DiskCoder.C, was a 2017 destructive malware outbreak masquerading as ransomware. It reused elements of the earlier Petya bootloader code but differed in its dropper, worming, and user-mode components. The malware overwrote the MBR, encrypted the NTFS Master File Table during reboot, and also encrypted the first 1 MB of targeted files in user mode, rendering systems unusable. Multiple sources in the content state that victims could not recover disks even after payment, making it effectively a wiper disguised as ransomware.
The campaign primarily targeted businesses in Ukraine, Russia, and Western Europe, with Ukraine identified as the main initial target set. A major initial infection vector was compromise of the MeDoc accounting software update mechanism; one source also mentions a possible waterhole vector via the City of Bahmut website. After initial execution, NotPetya spread laterally inside networks using stolen credentials from lsass.exe via Mimikatz-like tooling, then propagated with PsExec and WMIC/WMI. It also used modified EternalBlue and EternalRomance over TCP 445, allowing spread to systems on the same network, including some patched against EternalBlue when credential-based propagation succeeded. The malware enumerated network adapters, NetBIOS names, DHCP leases, and scanned local networks for ports 445 and 139.
Operationally, the malware waited roughly 10 to 60 minutes before rebooting hosts using at, schtasks, and shutdown.exe. After reboot it displayed a fake CHKDSK-style screen while disk-impacting actions completed, then presented a ransom demand for $300 in Bitcoin and instructed victims to contact wowsmith123456@posteo.net; the Posteo mailbox was reportedly shut down, preventing recovery coordination. Kaspersky telemetry cited more than 2,000 attacks during the outbreak. The malware was observed using perfc.dat, and Kaspersky published detections including Trojan-Ransom.Win32.ExPetr.a and HEUR:Trojan-Ransom.Win32.ExPetr.gen.
The content consistently associates NotPetya with Russian state activity. It is described as attributed by Western governments and intelligence agencies to Russian state-sponsored actors, and specifically linked to APT44/Sandworm/FROZENBARENTS, tied to Russian military intelligence. The malware incorporated EternalBlue from the Shadow Brokers leak and spread far beyond its intended Ukrainian targets, causing major global disruption. High-profile impacts mentioned include Maersk, where legacy Windows systems were affected across more than 20,000 devices. The content states the outbreak caused approximately $10 billion in global economic losses.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically. The leaked EternalBlue exploit later became the foundation for some of the most destructive cyberattacks ever recorded. North Korean hackers used it in the WannaCry ransomware outbreak, while Russian operators incorporated it into the NotPetya malware campaign. | ...while Russian operators incorporated it into the NotPetya malware campaign. Although initially aimed at targets in Ukraine, NotPetya spread globally and is estimated to have caused around $10 billion in economic losses.
Dillon has crafted his modified exploits to take advantage of the following vulnerabilities: CVE-2017-0143 Type confusion between WriteAndX and Transaction requests EternalRomance EternalSynergy
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT44 has been involved in many of the most high-profile disruptive cyberattacks in the world, including the global destructive attack NotPetya, attacks on the Pyeongchang Olympic games, and several blackouts in Ukraine.
The GRU’s malign cyber activities include deployment of the NotPetya and Olympic Destroyer malware; intrusions targeting the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; cyber attacks on government systems and critical infrastructure in Ukraine and the state of Georgia; and hack-and-leak operations targeting elections in the United States and France.
This group has been behind several cyber-attacks aimed at Ukraine in the past, such as the NotPetya ransomware outbreak, and the BlackEnergy attacks on Ukraine's power grid in 2015 and 2016.
The Trump administration on Thursday publicly blamed Russia for the massive notPetya cyberattack that ravaged computer systems worldwide last June... “The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas,” the White House said.
The business made use of specific websites for customer project tracking and data sharing. This was variously referred to as GoldenEye, Commando, or MyCommando, and acted as a place where customers could log in to view and download campaign specific data and status updates, communicate securely, and manage other aspects of their projects.
Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
5 techniques
Initial Access
the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
The prototype worm does not exploit zero-day vulnerabilities. It only targets publicly disclosed but unpatched bugs, misconfigurations, and recurring weakness classes.
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.
Execution
2 techniques
Execution
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
Persistence
4 techniques
Persistence
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
1 technique
Credential Access
Discovery
2 techniques
Discovery
North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers later built it into NotPetya, which spiraled beyond its initial Ukrainian targets and caused an estimated $10 billion in damages globally.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
4 techniques
Lateral Movement
The code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately.
Examples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'
Exfiltration
1 technique
Exfiltration
Impact
6 techniques
Impact
According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions ... Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer ... NotPetya ... and Olympic Destroyer
Impact: Begins encrypting files before the operating system loads, making recovery extremely difficult.
No key even existed to reorder the scrambled noise of their computer’s contents.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
198 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Described as a fake ransomware ('faux rançongiciel'), NotPetya is malware associated with destructive attacks rather than conventional profit-driven ransomware behavior.
Described as a propagating cyber event that caused major business disruption and large insurance claims across multiple companies.
Referenced as a famous worm event and benchmark for large-scale destructive malware outbreaks.
A destructive worm-like ransomware malware cited as an example of rapid global propagation using known, patched vulnerabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.