Historical Hacks: NotPetya (2017)
State-sponsored ransomware has gotten far worse over the years.
As we’ve explored notable cybersecurity hacks, we’ve looked at everything from worms made for research purposes to the application of Zero Day hacks by government hackers. In today’s article, we’ll be deviating from that path to take a look at state-sponsored Malware / Ransomware attacks. They’ve allowed countries to bypass sanctions, contributed to nuclear research, given struggling economies access to cold hard cash, and caused chaos on machines worldwide.
The Same, But Different
While Ransomware tends to vary target by target we often find many similarities between different packages. For instance, encryption and a Bitcoin payment address are usually given to ransomware victims to unlock their data. Sometimes these will work, and sometimes the data is lost with no ability to recover.
While there have been plenty of state-sponsored attacks since the turn of the year 2000, today we’ll be focusing specifically on the NotPetya attack that came to light in 2017. Different from the earlier, WannaCry attacks, Peta can be considered more of a wiper than a legit ransomware attack, however, it did still leverage some of the features that made an appearance during the WannaCry attacks.
Those monitors scream the early 2000s. Petya lock screen. Source: Wikipedia
First Stop, Ukraine
While Petya was first seen in the wild in 2016, it would take some time for it to come to the forefront and cause the chaos that we’ve seen around other malware attacks. Petya was different, however. Its targeting was extremely malicious and unlike earlier exploits, there was little chance of data recovery once a machine was infected. This made it far more damaging than previous variants. However, to understand this a little better we need to jump back a little and explore some of the relevant circumstances that helped contribute to this situation.
It’s pretty well known that in 2014 Russia moved troops into the contested Crimea region. However, one lesser-known thing is the barrage of cyber attacks that took place around the time this occurred. Targeting Ukrainian infrastructure, assets, and persons of interest these attacks were designed to cripple infrastructure as well as send large amounts of data back to the Russian state where it could be disseminated and analyzed correctly.
Because of this, Ukraine became the new front line for cyberwarfare, with hacks and social engineering attacks pursued both offensively and defensively. We also saw the world's cybersecurity specialists turn their attention to securing and protecting Ukrainian infrastructure. While the concept of Cyber Attacks can be devastating, we still see that a defensive posture can be obtained regardless. This posture enables the minimization of cyber & social engineering attacks.
Europe or more specifically Ukraine, has seen a huge number of attacks in the wild. Source: Wikipedia
Chaos Creator: Why It Was Effective
While Petya was by no means the world's first ransomware attack, it was devastatingly efficient, causing chaos basically wherever it spread. And while it was similar, to the earlier WannaCry ransomware some distinct differences made this more aggressive and damaging than what we’d seen earlier.
Firstly, Petya was more a wiper attack than a ransomware setup. Once a machine was infected, there was little way to recover it. This meant that, unlike WannaCry, there was little way to stop the attack once the machine had reached the point of infection. Because of this, Peta sowed more destruction along that way than typical variants we’d seen previously, taking out personal, commercial, and embedded systems the world over.
Secondly, Petya was noteworthy for where and how it spread, as much as the damage it did. While the world has heard of Stuxnet and the damage it did to the Iranian nuclear program, Petya was designed to do similar damage to Ukrainian infrastructure, albeit in a different way. Part of the reason the initial wave was so damaging was because of its indiscriminate spread across the surface of the internet.
Lastly, NotPetya used a similar exploit to Wannacry, leveraging the NSA-discovered Eternal Blue (CVE-2017–0144) exploit to gain access. However, unlike Wannacry, Petya also kept a surprise package for machines that would not give up administrator rights. Known as Mischa, this little surprise meant that the spread was far more prolific than what we’d seen previously. It also meant that this particular variant became much much more damaging, contextually speaking.
Cyberattacks peaked in 2022 with the launch of the full-scale invasion. This time though, Ukraine was ready. Source: Wikipedia.
Economic / Security Impact on Industry
We spoke earlier about how certain attributes of Petya made it difficult to mitigate. Some of these issues were also legitimate reasons as to why the economic damage was as large as it was. However, probably the biggest issue with Petya was that of attribution. As in, who designed it, where did it come from and what was the objective behind unleashing it in the wild?
To answer some of these questions, we will need to look at where Petya was first detected as well as what the objectives were behind the Ransomware. As we examine some of these issues we start to see consistency in the targeting as well as learning more about where it originated and what its purpose was.
While the issue of Attribution can be complex in identification, there were commonalities behind the virus as a whole that made attribution to particular actors far easier.
One of the biggest giveaways was its use of the previously mentioned Eternal Blue exploit. Used by Russian state actors in the past, this along with its release into Ukraine started to indicate that there were certain goals behind Petya. This wasn’t just a simple case of Malware for profit. Profit wasn’t even a motivator at all! This was something far more sinister.
Remediation & Legacy
While the initial goal was machines and infrastructure within Ukraine, it’s fair to say that the damage done was far outside the scope of the initial goals. With some estimates reaching over 10 billion dollars, it could be said that that goal was achieved.
However, concerning remediation, we find that one of the most effective steps in dealing with this issue was the sharing of information by cyber specialists. This collaborative work made a huge difference in mitigation strategies allowing people to collectively review and share information in real time.
This is by no means a new approach, collective work was a huge reason that the Wanna Cry attack was able to be stopped so effectively. However, in this instance, we’d need more than private researchers to assist with this. Microsoft issued patches to prevent exploitation of Eternal Blue and Cyber and Infosec specialists developed new procedures that were designed to mitigate the human factors that contributed to these attacks and provide forensic specialists with a response strategy to mitigate damage.
The legacy of the Petya attacks was long-lasting but somewhat positive toward the end. Due to the severity of the attacks, many organizations ended up dealing with long-term damage that was expensive to mitigate as well as extremely slow. However, despite this, we saw a new awareness of some of the issues in the cybersecurity community along with a better understanding of the role security researchers and specialists could play when dealing with an incident.
It’s fair to say that nothing brings focus to cybersecurity woes like data loss, encryption of your machine, and poorly made backups to recover from. NotPetya made people realize the damage that could be struck on the community when companies and individuals dropped the ball on cybersecurity.
While the industry still has a long way to go, moments like this leave lasting impressions on how users view computers, security, and the internet.
Do you have a backup? What would happen if you lost your machine to ransomware? If you have a computer, these are the questions to ask yourself before you’re attacked, not after. Do it now, and you can thank yourself later.
Medium has recently made some algorithm changes to improve the discoverability of articles like this one. These changes are designed to ensure that high-quality content reaches a wider audience, and your engagement plays a crucial role in making that happen.
If you found this article insightful, informative, or entertaining, we kindly encourage you to show your support. Clapping for this article not only lets the author know that their work is appreciated but also helps boost its visibility to others who might benefit from it.
🌟 Enjoyed this article? Support our work and join the community! 🌟
💙 Support me on Ko-fi: Investigator515
📢 Join our OSINT Telegram channel for exclusive updates or
📢 Follow our crypto Telegram for the latest giveaways
🐦 Follow us on Twitter and
🟦 We’re now on Bluesky!
🔗 Articles we think you’ll like:
- Software Defined Radio & Radio Hacking
- OSINT Unleashed: 5 Essential Tools for Cyber Investigators
✉️ Want more content like this? Sign up for email updates here