< Back to Blog

The ‘NotPetya’ Ransomware Attacks Explained

June 27, 2017

On Tuesday, a number of Ukrainian banks and financial firms, including the state power distributor, were hit by a cyber attack disrupting operations, according to the Ukrainian National bank who said an “unknown virus” was to blame. We will share some of our findings, explaining why Votiro’s customers are protected from that attack.

Today, the attack seems to have continued to spread to the largest airport in the country and to Russia’s Rosneft oil Company and Danish shipping giant A.P. Moller-Maersk. I’m sure the list will continue to grow.

Images from affected computers have shown what appears to be a ransomware attack with cybercriminals demanding a payment of $300 (£235) in Bitcoin to re-gain access to encrypted files. This ransomware variant, is said to be related to the Petya family, a known strain of ransomware, that’s been around since mid 2016 using a unique way to hold your files hostage.

Here’s how it works…

Petya takes over the Master Boot Record (MBR), and overwrites it with its custom boot loader which loads a malicious kernel. This kernel is then in charge of continuing the encryption process of the rest of the files.

While most ransomwares tend to encrypt the file itself, Petya encrypts the master file table (MFT) which makes it impossible for the file system to access the files. As Petya overwrites the MBR, the system crashes, and when it reboots, the following message appears:

His may seem like a genuine Windows error, but the malicious kernel is actually already doing its part, encrypting the MFT. Once the kernel has finished, the screen changes into:

Recent events

It seems that the WannaCry campaign was only the first among the many Ransomware campaigns that have followed.

Today, around the world, machines have become infected with the NotPetya ransomware– reports continue to arrive from the UK, India, the Netherlands, Spain, Denmark and the Ukraine, and it won’t be long before the campaign reaches others.

Credit to https://twitter.com/search?q=ransomworm&src=typd

While this ransomware may not live up to the infection rate of WannaCry, it’s quite substantial and it is still early in the campaign– it seems that the ones in charge of this campaign have learned quite a lot from the WannaCry campaign.

While WannaCry was spread only via SMB on available machines, NotPetya is at a whole other level of sophistication.

Updated on July 9th, 2017:

M.E.Doc is a widely deployed accounting package created by a Ukrainian company named Intellect Service and that it was used to interact with Ukrainian tax systems.

It appears that an unknown actor has stolen admin credentials for the M.E.Doc Server, logged in and gain root access and began modifying files on the server.

The end result, was a complete modification of the update mechanism for the M.E.Doc software, which means, that each software looking for an update, would get a malicious one which inserts a backdoor into the product.

This backdoor would later be used to execute all sorts of commands remotely, which eventually will result in a NotPetya infection.

Upon infecting a machine, the NotPetya ransomware uses the same EternalBlue exploit that was used by WannaCry to spread into additional machines from within the organization. unlike WannaCry, NotPetya doesn’t have a kill-switch.

We refer to it as NotPetya as it is very similar in its behavior to the Petya ransomware but has additional features which makes it unique. Early reports have linked the two on account of the encrypting mechanism, but it appears as if NotPetya has stolen its encrypting capabilities from Petya and nothing more.

As this campaign grew bigger and made waves, the author of Petya has released its private key, effectively unlocking all files that were encrypted using Petya. This move was in order to show that he has nothing to do with this NotPetya campaign.


To mitigate the damages, Microsoft has issued a Windows security patch MS17-010 to resolve the SMB protocol vulnerability. All users are requested to make sure their machines are up-to-date to prevent being infected and infecting others.

While most security solutions work to detect any malicious documents or run them through a sandboxed environment where malicious variants can be identified, deploying an Advanced CDR protection can definitely be a good solution.

Using our Advanced CDR solution, that supports RTF and many other document formats, the OLE objects are carefully examined as the document is re-built from scratch, eliminating any non standard or documented attributes, values, and OLE objects without requiring any signature or learning.


We predict that this is just the beginning of the Ransomworm era. Ransomware combined with worms sets the stage for a larger infection rate. While WannaCry was the first ransomworm, it had many flaws that helped to prevent further infection. With Petya, it’s very different, as this strain of ransomware uses two different attack vectors to achieve as many infections as possible. We urge all users to update their machines and not open unsanitized files as they may contain the next ransomworm outbreak.To submit a file to our Advanced CDR solution, which is able to sanitize any document (even with zero-days) click here