Petya and NotPetya ransomware

Petya and NotPetya were cyberattacks in 2016 and 2017, respectively. Both involved ransomware but NotPetya was even more advanced than Petya.

What are Petya and NotPetya ransomware?

Petya and NotPetya hit computers in 2016 and 2017, respectively, the latter resulting in billions of dollars in damages. Petya’s first variant encrypted master boot records to render entire hard drives inaccessible instead of encrypting specific files like typical ransomware. Another variant of Petya was more dangerous, though, infecting boot records and encrypting documents.

A significantly modified version of Petya, dubbed by researchers as NotPetya, was more destructive and prolific than old Petya versions. Unlike Petya, NotPetya may have been a cyberweapon. It primarily hit organizations in Ukraine.

What is Petya?

Petya is an encrypting malware that researchers found in 2016. Its name is inspired by a fictional Soviet satellite from the James Bond film GoldenEye (1995). While Petya’s penetration rate was average, its encryption technique was innovative and unusual.

What did Petya do?

The ransomware spread through phishing emails carrying a PDF functioning as a Trojan horse. As soon as someone activated Petya and gave it admin access, the ransomware would go to work. After rebooting a target’s computer like a boot sector virus, it would overwrite the Master Boot Record (MBR) to encrypt the hard drive. While the files on a computer infected by Petya weren’t encrypted, corrupted, or lost, they were inaccessible. Petya would demand Bitcoin from victims to restore access.

What is the difference between Petya and NotPetya?

NotPetya was a souped-up version of Petya. Cybersecurity experts named it "NotPetya," and the name stuck. Although both Petya and NotPetya can help a cybercriminal launch a ransomware attack, some critical differences exist.

1. Propagation

Petya didn’t spread nearly as rapidly as NotPetya for a few reasons. For one, it tried to trick users into opening it, and many modern computer users can identify social engineering techniques like phishing attacks. The original variant of Petya also required admin permissions that many experienced users didn’t share. On the other hand, NotPetya propagated faster through backdoors, exploits like Eternal Blue, and remote access vulnerabilities. You can read about EternalPetya for more on the Petya ransomware family.

2. Encryption

As mentioned above, the original version of Petya doesn’t encrypt files, just the boot record to prevent victims from loading Windows. By contrast, NotPetya encrypted files and even damaged some storage drives. The two also differed in their displays and messages to their targets. Interestingly, a second variant of Petya armed with the ransomware payload Mischa also encrypts documents and doesn’t need administrative permissions from the victim.

3. Decryption

Many experts claimed that NotPetya attackers couldn’t decrypt files. For example, UK's National Cyber Security Centre said: “The malware was not designed to be decrypted. This meant that there was no means for victims to recover data once it had been encrypted.” However, researchers at Vice learned that NotPetya hackers could unlock all files encrypted by the ransomware after all.

What kind of attack was NotPetya?

NotPetya was most likely a cyberattack. Its authors seemed more interested in disrupting systems than generating revenue, and it's unlikely that petty hackers had the resources or skills to develop Petya into NotPetya so quickly.

Who did NotPetya target?

While NotPetya organically spread across Europe, Asia and North America, its actual target was most likely Ukraine. NotPetya hit government, transportation, energy, and financial sectors, resulting in steep monetary and productivity losses in the European country. The NotPetya attack also began on the eve of Ukraine’s Constitution Day.

Who started NotPetya?

NotPetya has the hallmarks of state-sponsored cyber warfare. Ukraine’s politicians blamed Russian security services for NotPetya, and the American government agreed. Kremlin responded by denying these claims and pointing out that the ransomware spread to Russia too. However, a national spokesperson said that the attack didn’t cause serious damage in Russia.  

Is NotPetya ransomware?

Some experts argue that NotPetya isn’t ransomware because its authors may not have the ability to decrypt computers. But the answer to “Is NotPetya a ransomware” depends on your ransomware definition. You could say that NotPetya is ransomware regardless of its author's abilities to decrypt computers because it prevents users from accessing their files or system and demands a ransom payment. Similarly, WannaCry is also a ransomware strain even though its authors may have the ability to decrypt computers.

How to stop Petya

You may have read about how threat actors are using SMB vulnerabilities to launch ransomware attacks like NotPetya and WannaCry. Downloading the newest Windows Server Message Block (SMB) patches can plug these security flaws. Using security software that can protect against ransomware is also important. Backing up your data regularly can also help you be prepared in case of a ransomware attack. 

Select your language