NotPetya

Malware updated 15 hours ago (2024-11-20T18:08:47.216Z)

Download STIX

Preview STIX

NotPetya, a destructive malware posing as ransomware, was unleashed in 2017, causing widespread global damage while primarily targeting Ukraine's infrastructure. The cyberattack, commonly attributed to Russia, was so devastating that it led many to consider it an act of cyberwar, despite no official declaration. NotPetya masqueraded as ransomware, similar to other well-known threats like WannaCry, Petya, TeslaCrypt, DarkSide, and REvil. However, unlike these, NotPetya was not designed for financial gain through data encryption and ransom demands, but rather for data destruction. The scale of the NotPetya attack was unprecedented, with total damages globally estimated at around $10 billion. Among those heavily affected was shipping giant Maersk, whose then-CEO Soren Skou's leadership was instrumental in navigating the crisis. Another significant case involved pharmaceutical company Merck, which resolved a dispute with insurers over a $1.4 billion claim arising from the NotPetya incident in 2024. These instances underscored the catastrophic potential of such attacks and triggered discussions about reshaping the cyber insurance market. The NotPetya attack was linked to APT28, a Russian hacking group also known as Sandworm, notorious for its involvement in high-profile cyber offensives including US election interference in 2016 and the Olympic Destroyer effort. Following the 2017 attack, parallels were drawn between NotPetya and epidemiological models, highlighting similarities between malware and disease dissemination. This comparison, along with the severe impact of the NotPetya attack, underscores the critical need for robust cybersecurity measures.

Description last updated: 2024-11-15T16:07:59.589Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sandworm is a possible alias for NotPetya. Sandworm, a threat actor believed to be linked to Russia, has been identified as one of the most active groups supporting Russian military activities in Ukraine. Notorious for its sophisticated cyber-attacks, Sandworm has compromised 11 Ukrainian telecommunications providers, significantly disruptin	4
Bad Rabbit is a possible alias for NotPetya. Bad Rabbit is a notorious malware that emerged in October 2017, primarily targeting corporate networks. It operates as ransomware, encrypting the victim's files and disk while offering a means of decryption for a ransom. The malicious software uses fake Adobe Flash installer advertisements to lure v	2
Telebots is a possible alias for NotPetya. TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Wiper

Merck

Ukraine

Insurance

Russia

Vulnerability

Exploit

Ukrainian

Worm

Russia’s

Eset

russian

Backdoor

Encryption

Ransom

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The WannaCry Malware is associated with NotPetya. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2	Unspecified	8
The Industroyer Malware is associated with NotPetya. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma	is related to	4
The BlackEnergy Malware is associated with NotPetya. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a	is related to	4
The Olympic Destroyer Malware is associated with NotPetya. Olympic Destroyer is a notorious malware that was deployed by Sandworm, a cyber-espionage group, during the 2018 Pyeongchang Winter Olympics. The malware caused significant disruption to the event's IT infrastructure, including broadcasting, ticketing, various Olympics websites, and Wi-Fi at the hos	Unspecified	2
The WhisperGate Malware is associated with NotPetya. WhisperGate is a destructive malware that has been employed by threat actors since 2020, with its first known deployment against Ukrainian organizations occurring in January 2022. These actors have used the malware to damage computer systems and render them inoperable, targeting not only Ukraine but	Unspecified	2
The petya Malware is associated with NotPetya. Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and Da	is related to	2
The Stuxnet Malware is associated with NotPetya. Stuxnet, discovered in 2010, is one of the most infamous malware attacks in history. It was a military-grade cyberweapon co-developed by the United States and Israel, specifically targeting Iran's nuclear enrichment facility at Natanz. The Stuxnet worm infiltrated Windows systems, programming logic	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with NotPetya. APT28, also known as Fancy Bear or Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia. The group has been involved in several high-profile cyber-espionage activities, including the hacking of the Democratic National Committee (DNC) during the 2016 US Presiden	Unspecified	2
The Seashell Blizzard Threat Actor is associated with NotPetya. Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Eternalblue Vulnerability is associated with NotPetya. EternalBlue is a software vulnerability, specifically a flaw in the Windows Server Message Block (SMB) code execution. This vulnerability was made public when a group known as the Shadow Brokers leaked an exploit developed by the U.S. National Security Agency. The exploit, dubbed EternalBlue, is ass	Exploited	3
The Eternalromance Vulnerability is associated with NotPetya. EternalRomance is a software vulnerability, specifically an exploit for the Server Message Block version 1 (SMBv1) protocol, which was leaked by the group known as the "ShadowBrokers." It affects Windows XP, Windows Server 2003, and Windows Vista systems. This flaw allows attackers to execute arbitr	Unspecified	2

Source Document References

Information about the NotPetya Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	6 days ago	Lessons From OSC&R on Protecting Software Supply Chain
Flashpoint	a month ago	The New Cold War is Here: Preparing Your Business for The Convergence of Geopolitical, Physical and Cyber Threats
DARKReading	2 months ago	Allies to Leverage During a Cyber Crisis
DARKReading	4 months ago	Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
CERT-EU	10 months ago	Merck settles with insurers regarding a $1.4 billion claim over NotPetya damages
CERT-EU	9 months ago	Cyber Insurance Coverage Is Complex For Industrial Companies
CERT-EU	8 months ago	Emulating the Sabotage-Focused Russian Adversary Sandworm
Recorded Future	4 months ago	“Mobile NotPetya”: Spyware Zero-Click Exploit Development Increases Threat of Wormable Mobile Malware
RIA - Information System Authority	6 months ago	Head of RIA: last year was proof that securing the digital lifestyle requires investing in the security of information systems
RIA - Information System Authority	6 months ago	Threat Assessment: Cyber attacks against Ukraine and possible impact in Estonia
DARKReading	6 months ago	Microsoft: 'Moonstone Sleet' APT Melds Espionage, Financial Goals
InfoSecurity-magazine	6 months ago	New North Korean Hacking Group Identified by Microsoft
InfoSecurity-magazine	7 months ago	Russia’s Sandworm Upgraded to APT44 by Google's Mandiant
Securityaffairs	7 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
DARKReading	7 months ago	Dangerous New ICS Malware Targets Orgs in Russia and Ukraine
BankInfoSecurity	7 months ago	The Global Menace of the Russian Sandworm Hacking Team
DARKReading	7 months ago	Sandworm Is Russia's Top Cyberattack Unit in Ukraine
Recorded Future	7 months ago	“Mobile NotPetya”: Spyware Zero-Click Exploit Development Increases Threat of Wormable Mobile Malware
DARKReading	8 months ago	White House's Call for Memory Safety Brings Challenges, Changes, and Costs
CERT-EU	8 months ago	Mitigating Lurking Threats in the Software Supply Chain