Cybersecurity Fundamentals
¶ 1
Leave a comment on paragraph 1 0
Project Report – NotPetya
The June 2017 release of the NotPetya cyberattack is considered one of many turning
points in the growth of cyberwarfare and how we view the internet and cybersecurity. Despite
being first described as a ransomware attack that demanded Bitcoin payments to decrypt files, its
true nature was much less explicit than the outcome. It was a very damaging wiper that was
disguising itself s an individual with malicious financial motivations. The attack started in
Ukraine but quickly expanded globally, damaging government organizations, corporations, and
critical infrastructure that results in billions of dollars in damage. The technological complexities of NotPetya will be examined in this paper, along with the initial infection vector, advanced propagation methods, and relentless data destruction tactics. We will also look at its significant worldwide impact, highlighting the repercussions that disrupted global trade. The tragic results of this cyberattack also brought conversations of weaknesses in global supply systems. NotPetya is a distinct and extremely dangerous example of modern cyberwarfare as, in contrast to ordinary ransomware, its goal was broad disruption and data obliteration rather than financial gain, although it was disguised as such. Strengthening cybersecurity defenses and reducing the likelihood of future, equally destructive attacks requires an understanding of NotPetya’s mechanisms and the effects it had.
¶ 2 Leave a comment on paragraph 2 0 Geopolitical tensions between Russia and Ukraine were growing at the time of the NotPetya attack. The timing of the launch, which took place just before Ukraine’s Constitution Day on June 28th, strongly implied a coordinated attempt to destabilize and disturb the nation (Fortra, 2017). The attack was commonly mislabeled as a ransomware incident in the immediate aftermath. It tricked victims of the attack with the notion of a financially motivated cybercrime when victims were shown a ransom note asking $300 in Bitcoin for the suggested decryption of their files (Greenberg, 2018). Nevertheless, a more thorough examination quickly showed that the ransom note was an imitation of a much more harmful intent.
¶ 3 Leave a comment on paragraph 3 0 The crucial difference is seen in the malware’s actual characteristics. NotPetya functioned as a “wiper,” a kind of malware intended to permanently destroy data, whereas ransomware typically encrypts data with the goal of delivering a decryption key upon payment. The ransom message that was displayed mostly served as a smokescreen, drawing attention away from the actual goal, which was to destroy important data and render compromised systems unusable. NotPetya was classified as a fundamentally damaging attack rather than a legitimate ransomware operation because of the way it was designed and executed, which rendered successful decryption extremely unlikely even if the ransom was paid.
¶ 4 Leave a comment on paragraph 4 0 The popular Ukrainian accounting program M.E.Doc served as the main entry point for the NotPetya attack. This software is a vital part of Ukraine’s economic infrastructure since Ukrainian organizations must manage financial data and file tax returns. The M.E.Doc update server was successfully infiltrated by the attackers, who used it as a means of spreading the malicious payload to many users (2).
¶ 5 Leave a comment on paragraph 5 0 Malicious code was introduced into an actual M.E.Doc software update package as part of the technique. Users unintentionally downloaded and ran the NotPetya malware when they installed the infected update. Because this trojanized update was digitally signed using a legitimate certificate that belonged to the developer of M.E.Doc, it ended up with an extremely destructive result. Bypassing several standard security checks without raising any immediate concerns for users or security software, this digital signature, which was meant to guarantee users that the update was genuine and secure, actually helped to legitimize the infection.
¶ 6
Leave a comment on paragraph 6 0
In particular, version 10.01.176 of M.E.Doc was found to be the compromised version, and version 10.01.180, a later release, was also discovered to be compromised (Cimpanu, 2017).
The complex nature of the assault and the difficulties in safeguarding software supply chains are demonstrated by the attackers’ ability to implement malicious code into these updates and sign
them using a legitimate certificate. The attackers successfully transformed a lawful software
distribution route into a weapon of mass cyber destruction by compromising a trusted software
provider’s update system and distributing NotPetya to a large number of unaware victims.
¶ 7
Leave a comment on paragraph 7 0
NotPetya used multiple tactics to quickly spread throughout the local network after
compromising a system with the M.E.Doc update. Due to he attack’s ability to quickly infect
several systems within an organization, disruption, destruction of these data systems were
possible, which was significant to its global impact. The main methods used for this propagation
were using EternalBlue and EternalRomance to exploit the SMBv1 vulnerability, using WMI
and PsExec with credentials that had been obtained, and using Mimikatz to steal credentials
(Cimpanu, 2017).
¶ 8
Leave a comment on paragraph 8 0
Exploiting the SMBv1 (Server Message Block version 1) protocol vulnerability,
specifically with the EternalBlue and EternalRomance vulnerabilities, was a key component of
NotPetya’s quick propagation (Cimpanu, 2017). NotPetya was able to run malicious code on
vulnerable Windows PCs without the need for user intervention, thanks to EternalBlue, a program
created by the National Security Agency (NSA) of the United States and later made public by the
hacker collective Shadow Brokers. The flaw, known as MS17-010, was in SMBv1-processed packets. NotPetya could take over and run its code by sending a malicious packet to a vulnerable system, therefore spreading from one machine to another (Cimpanu, 2017).
¶ 9
Leave a comment on paragraph 9 0
Additionally, NotPetya used PsExec and Windows Management Instrumentation (WMI),
two trusted Windows administration tools, to run malicious code on additional networked PCs.
Administrators can remotely run processes on other systems using PsExec, a component of the
Sysinternals suite. WMI offers a standardized method for managing and accessing computer
system information (Cimpanu, 2017). NotPetya remotely executed its damaging payload on
other systems using these tools and credentials that were stolen. Because the execution was
carried out using legitimate Windows tools, this method allowed it to get around some security
checks that may have identified malicious malware being transported over the network. NotPetya uses Mimikatz, a popular post-exploitation tool for extracting usernames and passwords from system memory, to make it easier to use WMI and PsExec (2). Mimikatz can retrieve credentials saved in many formats, such as Kerberos tickets, NTLM hashes, and plain text passwords (2). By exploiting Mimikatz to obtain credentials from compromised systems, NotPetya was able to authenticate to other systems on the network and use WMI and PsExec to remotely execute its payload. The potential of the attack to spread quickly and obtain access to several systems was greatly increased by this credential theft.
NotPetya was able to move across networks with efficient speed by combining these strategies. The initial infection was made possible by the exploitation of the unpatched SMBv1 vulnerability, and it spread quickly and discreetly with the use of legitimate administration tools and stolen credentials, causing immense destruction. Credential theft, legitimate tools, and well-known exploits were all combined to create NotPetya, a highly destructive cyberweapon.
¶ 10
Leave a comment on paragraph 10 0
The Master Boot Record (MBR), the first sector of the hard drive, was the target of
NotPetya during execution. The boot loader and partition table, which are necessary for the
operating system to start, are located in the MBR. NotPetya stopped the machine from booting
correctly by changing the MBR with a malicious, custom boot loader (Hung, G., & Joven, M).
As a diversion, a ransom note would appear when a user tried to start their computer, but the real problem was a faulty MBR, which effectively damaged the system (Microsoft, 2017). Data recovery was extremely difficult because of the combination of MBR overwriting and targeted file deletion. Although some data recovery specialists made an effort to retrieve data from compromised computers, however, most of these attempts were unsuccessful. The possibility of recovering almost all of the lost data was low, even with advanced data recovery techniques, especially given the lack of backups done beforehand.
Because the underlying data destruction process was intended to be irreversible, some victims of the ransomware were able to notice that NotPetya was only a smokescreen. There was no assurance that the data would be recovered, and in the majority of cases, the data was lost forever, even if the victims paid the ransom. NotPetya’s identification as a destructive wiper as opposed to a conventional ransomware assault became established by its focus on data destruction rather than extortion. The consequences of the payload were severe, resulting in significant disruption and a considerable amount of data loss for businesses on a global scale. This ultimately led to a huge destruction of critical infrastructure in many different countries. The June 2017 NotPetya attack is a memorable reminder of how powerful cyberattacks have the ability to cause extensive harm and interfere with international operations. At first
disguised as a ransomware campaign, NotPetya turned out to be a developed wiper that focused
on the data destruction of critical systems. The intentionally disguised attack was extremely sophisticated. In its initial infiltration through the compromised M.E.Doc software, and advanced quickly through networks using EternalBlue and credentials that were stolen. It destroyed Master Boot Records and targeted file systems. Proactive cybersecurity procedures, such as patching, strong network segmentation, authentication mechanisms, and more discussions on security awareness, are crucial, as shown by the significant lessons that have been learned from NotPetya.
¶ 11
Leave a comment on paragraph 11 0
References
Fortra. (2017, June 28). NotPetya: Timeline of a ransomworm. Fortra.
https://www.tripwire.com/state-of-security/notpetya-timeline-of-a-ransomworm
Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating
Cyberattack in History. Wired. https://www.wired.com/story/notpetya-cyberattack-
ukraine-russia-code-crashed-the-world/
Cimpanu, C. (2017, July 6). M.E.Doc software was backdoored 3 times, servers left without
updates since 2013. BleepingComputer.
https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-
times-servers-left-without-updates-since-2013/
Microsoft. (2017, March 14). Security update for Microsoft Windows SMB Server (4013389).
Microsoft. https://learn.microsoft.com/en-us/security-
updates/securitybulletins/2017/ms17-010
Hung, G., & Joven, M. (2017, July 9). Petya’s master boot record infection. Fortinet.
https://www.fortinet.com/blog/threat-research/petya-s-master-boot-record-infection
¶ 12 Leave a comment on paragraph 12 0
¶ 13 Leave a comment on paragraph 13 0
¶ 14 Leave a comment on paragraph 14 0
¶ 15 Leave a comment on paragraph 15 0
¶ 16 Leave a comment on paragraph 16 0
¶ 17 Leave a comment on paragraph 17 0
¶ 18 Leave a comment on paragraph 18 0
¶ 19
Leave a comment on paragraph 19 0
(Fortra, 2017). The attack was commonly mislabeled as a ransomware incident in the immediate
aftermath. It tricked victims of the attack with the notion of a financially motivated cybercrime
when victims were shown a ransom note asking $300 in Bitcoin for the suggested decryption of
their files (Greenberg, 2018). Nevertheless, a more thorough examination quickly showed that
the ransom note was an imitation of a much more harmful intent.
The crucial difference is seen in the malware’s actual characteristics. NotPetya functioned
as a “wiper,” a kind of malware intended to permanently destroy data, whereas ransomware
typically encrypts data with the goal of delivering a decryption key upon payment. The ransom
message that was displayed mostly served as a smokescreen, drawing attention away from the
actual goal, which was to destroy important data and render compromised systems unusable.
NotPetya was classified as a fundamentally damaging attack rather than a legitimate ransomware
operation because of the way it was designed and executed, which rendered successful
decryption extremely unlikely even if the ransom was paid.
The popular Ukrainian accounting program M.E.Doc served as the main entry point for
the NotPetya attack. This software is a vital part of Ukraine’s economic infrastructure since it is
necessary for Ukrainian organizations to manage financial data and file tax returns. The M.E.Doc
update server was successfully infiltrated by the attackers, who used it as a means of spreading
the malicious payload to many users (2).
Malicious code was introduced into an actual M.E.Doc software update package as part
of the technique. Users unintentionally downloaded and ran the NotPetya malware when they
installed the infected update. Because this trojanized update was digitally signed using a
legitimate certificate that belonged to the developer of M.E.Doc, it ended up with an extremely
destructive result. Bypassing several standard security checks without raising any immediate
¶ 20 Leave a comment on paragraph 20 0
¶ 21
Leave a comment on paragraph 21 0
concerns for users or security software, this digital signature, which was meant to guarantee
users that the update was genuine and secure, actually helped to legitimize the infection.
In particular, version 10.01.176 of M.E.Doc was found to be the compromised version,
and version 10.01.180, a later release, was also discovered to be compromised (Cimpanu, 2017).
The complex nature of the assault and the difficulties in safeguarding software supply chains are
demonstrated by the attackers’ ability to implement malicious code into these updates and sign
them using a legitimate certificate. The attackers successfully transformed a lawful software
distribution route into a weapon of mass cyber destruction by compromising a trusted software
provider’s update system and distributing NotPetya to a large number of unaware victims.
NotPetya used multiple tactics to quickly spread throughout the local network after
compromising a system with the M.E.Doc update. Due to he attack’s ability to quickly infect
several systems within an organization, disruption, destruction of these data systems were
possible, which was significant to its global impact. The main methods used for this propagation
were using EternalBlue and EternalRomance to exploit the SMBv1 vulnerability, using WMI
and PsExec with credentials that had been obtained, and using Mimikatz to steal credentials
(Cimpanu, 2017).
Exploiting the SMBv1 (Server Message Block version 1) protocol vulnerability,
specifically with the EternalBlue and EternalRomance vulnerabilities, was a key component of
NotPetya’s quick propagation (Cimpanu, 2017). NotPetya was able to run malicious code on
vulnerable Windows PCs without the need for user intervention thanks to EternalBlue, a program
created by the National Security Agency (NSA) of the United States and later made public by the
hacker collective Shadow Brokers. The flaw, known as MS17-010, was in SMBv1 processed
¶ 22 Leave a comment on paragraph 22 0
¶ 23
Leave a comment on paragraph 23 0
packets. NotPetya could take over and run its code by sending a malicious packet to a system
that was vulnerable, therefore spreading from one machine to another (Cimpanu, 2017).
Additionally, NotPetya used PsExec and Windows Management Instrumentation (WMI),
two trusted Windows administration tools, to run malicious code on additional networked PCs.
Administrators can remotely run processes on other systems using PsExec, a component of the
Sysinternals suite. WMI offers a standardized method for managing and accessing computer
system information (Cimpanu, 2017). NotPetya remotely executed its damaging payload on
other systems using these tools and credentials that were stolen. Because the execution was
carried out using legitimate Windows tools, this method allowed it to get around some security
checks that may have identified malicious malware being transported over the network.
NotPetya uses Mimikatz, a popular post-exploitation tool for extracting usernames and
passwords from system memory, to make it easier to use WMI and PsExec (2). Mimikatz can
retrieve credentials saved in many formats, such as Kerberos tickets, NTLM hashes, and plain
text passwords (2). By exploiting Mimikatz to obtain credentials from compromised systems,
NotPetya was able to authenticate to other systems on the network and use WMI and PsExec to
remotely execute its payload. The potential of the attack to spread quickly and obtain access to
several systems was greatly increased by this credential theft.
NotPetya was able to move across networks with efficient speed by combining these
strategies. The initial infection was made possible by the exploitation of the unpatched SMBv1
vulnerability, and it spread quickly and discreetly with the use of legitimate administration tools
and stolen credentials, causing immense destruction. Credential theft, legitimate tools, and well-
known exploits were all combined to create NotPetya, a highly destructive cyberweapon.
¶ 24 Leave a comment on paragraph 24 0
¶ 25
Leave a comment on paragraph 25 0
The Master Boot Record (MBR), the first sector of the hard drive, was the target of
NotPetya during execution. The boot loader and partition table, which are necessary for the
operating system to start, are located in the MBR. NotPetya stopped the machine from booting
correctly by changing the MBR with a malicious, custom boot loader (Hung, G., & Joven, M).
As a diversion, a ransom note would appear when a user tried to start their computer, but the real
problem was a faulty MBR, which effectively damaged the system (Microsoft, 2017).
Data recovery was extremely difficult because of the combination of MBR overwriting
and targeted file deletion. Although some data recovery specialists made an effort to retrieve data
from compromised computers, however, most of these attempts were unsuccessful. The
possibility of recovering almost all of the lost data was low, even with advanced data recovery
techniques, especially given the lack of backups done beforehand.
Because the underlying data destruction process was intended to be irreversible, some
victims of the ransomware were able to notice that NotPetya was only a smokescreen. There was
no assurance that the data would be recovered, and in the majority of cases, the data was lost
forever, even if the victims paid the ransom. NotPetya’s identification as a destructive wiper as
opposed to a conventional ransomware assault became established by its focus on data
destruction rather than extortion. The consequences of the payload were severe, resulting in
significant disruption and a considerable amount of data loss for businesses on a global scale.
Which ultimately led to a huge destruction of critical infrastructure in many different countries.
The June 2017 NotPetya attack is a memorable reminder of how powerful cyberattacks
have the ability to cause extensive harm and interfere with international operations. At first
disguised as a ransomware campaign, NotPetya turned out to be a developed wiper that focused
on the data destruction of critical systems. The intentionally disguised attack was extremely
¶ 26 Leave a comment on paragraph 26 0
¶ 27
Leave a comment on paragraph 27 0
sophisticated. In its initial infiltration through the compromised M.E.Doc software and
advancing quickly through networks using EternalBlue and credentials that were stolen. It
destroyed Master Boot Records and targeted file systems. Proactive cybersecurity procedures,
such as patching, strong network segmentation, authentication mechanisms, and more
discussions on security awareness, are crucial, as shown by the significant lessons that have been
learned from NotPetya.
References
Fortra. (2017, June 28). NotPetya: Timeline of a ransomworm. Fortra.
https://www.tripwire.com/state-of-security/notpetya-timeline-of-a-ransomworm
Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating
Cyberattack in History. Wired. https://www.wired.com/story/notpetya-cyberattack-
ukraine-russia-code-crashed-the-world/
Cimpanu, C. (2017, July 6). M.E.Doc software was backdoored 3 times, servers left without
updates since 2013. BleepingComputer.
https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-
times-servers-left-without-updates-since-2013/
Microsoft. (2017, March 14). Security update for Microsoft Windows SMB Server (4013389).
Microsoft. https://learn.microsoft.com/en-us/security-
updates/securitybulletins/2017/ms17-010
Hung, G., & Joven, M. (2017, July 9). Petya’s master boot record infection. Fortinet.
https://www.fortinet.com/blog/threat-research/petya-s-master-boot-record-infection