NotPetya

Malware updated 20 days ago (2024-09-27T23:00:56.144Z)
Download STIX
Preview STIX
NotPetya is a malicious software (malware) that caused extensive damage worldwide in 2017. It was initially perceived as ransomware, similar to other notorious variants such as WannaCry, Petya, TeslaCrypt, DarkSide, and REvil. However, unlike typical ransomware, NotPetya was primarily destructive rather than extortive, designed to disrupt systems rather than demand ransom for locked data. The malware was attributed to the Russian hacking group APT28 (also known as Sandworm), which has been linked to various high-profile cyber attacks, including the US election interference in 2016 and the Olympic Destroyer effort. NotPetya's total global damages are commonly estimated at around $10 billion. The NotPetya attack was particularly devastating for Ukraine, leading many to view it as an act of cyberwar by Russia against the country. Despite this, it was never officially classified as an act of cyberwar. NotPetya also had significant impacts on major corporations. For example, shipping giant Maersk experienced severe disruptions from the attack, and pharmaceutical company Merck had to settle a $1.4 billion insurance claim arising from the incident. Another notable case involved Mondelez's lawsuit against Zurich over losses from the NotPetya attack, potentially reshaping the cyber insurance market. Recent research from Recorded Future’s Insikt Group has highlighted the potential threat of a "mobile NotPetya" event, drawing parallels with the original 2017 NotPetya attack. This new threat is modeled using epidemiological methods, suggesting similarities between malware and disease dissemination. The 2017 NotPetya and WannaCry campaigns did not cause major losses for some countries like Estonia, but the possibility of a mobile version of NotPetya could present new challenges in the cybersecurity landscape.
Description last updated: 2024-09-27T22:15:50.721Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Bad Rabbit is a possible alias for NotPetya. Bad Rabbit is a notorious malware that emerged in October 2017, primarily targeting corporate networks. It operates as ransomware, encrypting the victim's files and disk while offering a means of decryption for a ransom. The malicious software uses fake Adobe Flash installer advertisements to lure v
2
Telebots is a possible alias for NotPetya. TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Wiper
Merck
Ukraine
Insurance
Russia
Vulnerability
Exploit
Ukrainian
Worm
Russia’s
Eset
russian
Backdoor
Encryption
Ransom
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The WannaCry Malware is associated with NotPetya. WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encryptingUnspecified
8
The Industroyer Malware is associated with NotPetya. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The mais related to
4
The BlackEnergy Malware is associated with NotPetya. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks ais related to
4
The Olympic Destroyer Malware is associated with NotPetya. Olympic Destroyer is a notorious malware that was deployed by Sandworm, a cyber-espionage group, during the 2018 Pyeongchang Winter Olympics. The malware caused significant disruption to the event's IT infrastructure, including broadcasting, ticketing, various Olympics websites, and Wi-Fi at the hosUnspecified
2
The WhisperGate Malware is associated with NotPetya. WhisperGate is a destructive malware that has been employed by threat actors since 2020, with its first known deployment against Ukrainian organizations occurring in January 2022. These actors have used the malware to damage computer systems and render them inoperable, targeting not only Ukraine butUnspecified
2
The petya Malware is associated with NotPetya. Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and Dais related to
2
The Stuxnet Malware is associated with NotPetya. Stuxnet, discovered in 2010, is one of the most notorious malware attacks in history, primarily targeting Windows systems, programming logic controllers (PLCs), and supervisory controls and data acquisition (SCADA) systems. The military-grade cyberweapon was co-developed by the United States and IsrUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with NotPetya. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
4
The APT28 Threat Actor is associated with NotPetya. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on thUnspecified
2
The Seashell Blizzard Threat Actor is associated with NotPetya. Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalblue Vulnerability is associated with NotPetya. EternalBlue is a software vulnerability that exists due to a flaw in the design or implementation of the Windows Server Message Block (SMB). This vulnerability, officially known as CVE-2017-0144, was made public after the Shadow Brokers group leaked an exploit developed by the U.S. National SecurityExploited
3
The Eternalromance Vulnerability is associated with NotPetya. EternalRomance is a software vulnerability, specifically an exploit for the Server Message Block version 1 (SMBv1) protocol, which was leaked by the group known as the "ShadowBrokers." It affects Windows XP, Windows Server 2003, and Windows Vista systems. This flaw allows attackers to execute arbitrUnspecified
2
Source Document References
Information about the NotPetya Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
20 days ago
DARKReading
2 months ago
CERT-EU
9 months ago
CERT-EU
8 months ago
CERT-EU
7 months ago
Recorded Future
3 months ago
RIA - Information System Authority
4 months ago
RIA - Information System Authority
4 months ago
DARKReading
5 months ago
InfoSecurity-magazine
5 months ago
InfoSecurity-magazine
6 months ago
Securityaffairs
6 months ago
DARKReading
6 months ago
BankInfoSecurity
6 months ago
DARKReading
6 months ago
Recorded Future
6 months ago
DARKReading
6 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago