Petya / Not-Petya – The Story So Far

29 Jun, 2017

Author: Sean Seaman, Security Consultant, Sapphire

London, UK, 29 June 2017 – Reports of an outbreak of the malware strain Petya hit the news earlier this week. The malware seems to have spread throughout Eastern Europe with only a small number of reported attacks outside of this area.

Initially sited as a ransomware attack, the now coined Not-Petya malware appears to be a significantly altered and targeted version of the Petya exploit. The malware appears to be aimed at developers, as first investigations report that both source code and development files are being targeted.

Due to this, it’s would be advisable for developers to store all source code and any development runs away from the main network. This data should also be regularly backed up.

Attack Vectors

This malware appears to be spread via phishing emails with infected attachments. It has also been side loaded into a MeDoc software update, however this vector has now been reported as closed.

Once the malware is on a host, it will wait for what appears to be between 10-60 minutes, during which time it will attempt to harvest user credentials from RAM/memory, after which it will force the host to reboot.

After the reboot, the malware will encrypt all files with a specific targeted file extension (.asp, .aspx, .c, .7z etc.) and show a screen informing the user to pay an amount of Bitcoins to decrypt the files. Unfortunately, this is not possible as the sole mechanism to request payment options is via email and the account has now been removed. The malware will then use some of the same network infection techniques as WannaCry to spread across the network – specifically ‘EternalBlue’, patched by Microsoft with MS17-010.

The main difference here is that WannaCry used a weakness in SMBv1 to gain unauthenticated access to the remote hosts; Not-Petya will use the previously harvested credentials to authenticate to the remote host and copy the malware over – here a local administrative credential on the remote host is required.

As with any phishing attack the user will be the weak point for this vector, so staff training in identifying phishing emails will be critical.  Any suspicious email should be reported and investigated.

Detection and Prevention

For network administrators, the investigation into any potentially harmful attachments should also be done cautiously. If an attachment is opened by a network administrator and their host is infected by opening this attachment, the likelihood of harvesting admin user credentials is significantly increased (as the network administrator may well have numerous administrative credentials active in RAM).

Aside from the possibility of the infection penetrating the network, we need to consider the ability for the malware to spread throughout the network.  As this malware spreads using user credentials found in memory; good network security processes will help limit the spread.  Ensuring that even network administrators especially are adhering to principles of least privilege will significantly reduce the risk of this malware spreading.

If systems are infected, a blue screen appear after reboot pretending to be the Check Disk utility; the best thing to do here will be to pull the plug/battery on the computer.  Hopefully this will limit the number of encrypted files, although should you want to recover the data, the likelihood is that you will need to remove the disk from the device.

Based on the fact that we have had two high profile malware outbreaks both leveraging network spreading via SMB, monitoring this traffic would be advisable;  Any device which is connecting to many IP addresses across the broadcast network on TCP/137/138/139/445 should be immediately investigated.


As highlighted above:

  • Ensure developers store all source code and development runs away from the main network
  • Ensure regular backups of all sensitive data
  • To avoid phishing attacks, raise staff awareness and provide phishing awareness training
  • Follow the principle of least privilege wherever possible
  • Monitor network traffic via the SMB protocol

As previously advised when exploit campaigns such as WannaCry hit, the steps you can take to protect your business are:

  • Make sure IPS protections where available are up to date to prevent propagation
  • Ensure all devices are patched to the latest versions of Operating System
  • Patch all 3rd party applications to their latest versions
  • Be vigilant in any use of email, specially containing attachments or links – urge users to do so
  • Remind users – if they are in any doubt – do not open the email
  • To check an attachment use a reliable source such as:

Useful Tools

If you’re struggling to identify the vulnerable assets on your network, our partners Tenable are offering a free 60-day trial of Tenable.IO – take advantage of this offer to gain visibility of all the vulnerable assets on your network.

Ivanti have produced an add-on for Microsoft SCCM which can deliver a streamlined, automated process for patching 3rd party enterprise applications. For a free 90-day license of this tool, please download here.

For further advice, please contact Sapphire on 0845 58 27001.