NotPetya
NotPetya, also referred to in reporting as Nyetya, ExPetr, PetrWrap, DiskCoderC, and GoldenEye, is a 2017 destructive malware strain that masqueraded as ransomware but was later assessed by multiple sources as effectively a wiper. It emerged as a Petya variant, reusing Petya bootloader code while adding its own dropper, user-mode ransomware component, and worming functionality. The malware encrypted victims’ hard drives, including the NTFS master file table (MFT), overwrote the master boot record (MBR) with a customized loader and ransom note, and also encrypted the first 1 MB of targeted files. Kaspersky concluded victims’ disks could not be decrypted even if payment was made, and reporting noted implementation flaws that could make recovery impossible.
The primary initial infection vector directly mentioned in the content was a malicious update delivered through the compromised M.E.Doc accounting software update mechanism used in Ukraine. Some reporting also cited a possible secondary waterhole vector involving the City of Bahmut website. After initial compromise, NotPetya spread laterally inside networks using multiple mechanisms: credential theft from lsass.exe with tooling similar to Mimikatz, use of harvested credentials with PsExec and WMIC, and exploitation of the leaked NSA SMB exploits EternalBlue and EternalRomance over TCP port 445. It could use wmic to help propagate itself across a network, create a task to reboot the system about one hour after infection, and then perform its destructive boot-time actions. The malware enumerated network adapters, NetBIOS names, DHCP leases, and scanned local network IPs for ports 445 and 139.
The campaign was initially aimed at targets in Ukraine, particularly Ukrainian financial, energy, and government organizations, but spread globally within hours and caused major collateral damage to worldwide businesses and critical infrastructure. The content associates the malware with Russian state activity, specifically the GRU/Sandworm lineage, including references to GTsST and APT44 involvement, and notes public attribution by governments and allied statements linking NotPetya to Russian military or Russian operators. Reported impact includes millions of affected devices globally and estimated economic losses of around $10 billion. The content also cites major operational disruption such as the Maersk incident, which reportedly cost more than $300 million and required reinstalling over 4,000 servers and 45,000 PCs.
The ransom demand was $300 in Bitcoin, with victims instructed to contact wowsmith123456@posteo.net, but the mailbox was shut down, preventing recovery. Detection and operational artifacts directly mentioned include use of perfc.dat, scheduling reboot via at, schtasks, and shutdown.exe, and Kaspersky detection names such as Trojan-Ransom.Win32.ExPetr.a and HEUR:Trojan-Ransom.Win32.ExPetr.gen. High-confidence aliases in the content include NotPetya, Nyetya, ExPetr, PetrWrap, and DiskCoderC.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically. The leaked EternalBlue exploit later became the foundation for some of the most destructive cyberattacks ever recorded. North Korean hackers used it in the WannaCry ransomware outbreak, while Russian operators incorporated it into the NotPetya malware campaign. | ...while Russian operators incorporated it into the NotPetya malware campaign. Although initially aimed at targets in Ukraine, NotPetya spread globally and is estimated to have caused around $10 billion in economic losses.
Dillon has crafted his modified exploits to take advantage of the following vulnerabilities: CVE-2017-0143 Type confusion between WriteAndX and Transaction requests EternalRomance EternalSynergy
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The GRU’s malign cyber activities include deployment of the NotPetya and Olympic Destroyer malware; intrusions targeting the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; cyber attacks on government systems and critical infrastructure in Ukraine and the state of Georgia; and hack-and-leak operations targeting elections in the United States and France.
Worldwide Businesses and Critical Infrastructure (NotPetya): June 27, 2017 destructive malware attacks that infected computers worldwide using malware known as NotPetya... The NotPetya malware, for example, spread worldwide, damaged computers used in critical infrastructure, and caused enormous financial losses.
This group has been behind several cyber-attacks aimed at Ukraine in the past, such as the NotPetya ransomware outbreak, and the BlackEnergy attacks on Ukraine's power grid in 2015 and 2016.
The Trump administration on Thursday publicly blamed Russia for the massive notPetya cyberattack that ravaged computer systems worldwide last June... “The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas,” the White House said.
The business made use of specific websites for customer project tracking and data sharing. This was variously referred to as GoldenEye, Commando, or MyCommando, and acted as a place where customers could log in to view and download campaign specific data and status updates, communicate securely, and manage other aspects of their projects.
Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe malware spread so quickly, worming its way automatically through interconnected private networks, as to be nearly unstoppable.
Initial Access
5 techniquesthe defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
The prototype worm does not exploit zero-day vulnerabilities. It only targets publicly disclosed but unpatched bugs, misconfigurations, and recurring weakness classes.
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.
Russian military hackers hijacked the company’s update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have M.E.Doc installed.
The malware was delivered in emails that had been created to resemble business correspondence, Gerashchenko said
Execution
3 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
WannaCry was based on exploits stolen from the National Security Agency — including a program called EternalBlue, which exploited a Microsoft vulnerability. Petya reportedly shares some of WannaCry's traits
Persistence
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
OpenPetya uses a custom Master Boot Record (MBR) to load the stage-2 payload.
Privilege Escalation
1 techniqueStealth
3 techniquesOnce the wiper has run for 60 minutes it cleans Windows event logs...
OpenPetya uses a custom Master Boot Record (MBR) to load the stage-2 payload.
Credential Access
1 techniqueOnce hackers gained initial access to a computer, Mimikatz could pull those passwords out of RAM and use them to hack into other machines accessible with the same credentials.
Discovery
1 techniqueNorth Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers later built it into NotPetya, which spiraled beyond its initial Ukrainian targets and caused an estimated $10 billion in damages globally.
Lateral Movement
4 techniquesThe code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately.
Examples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'
Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically.
Among the tools released, the Shadow Brokers published EternalBlue — a family of zero-day vulnerabilities targeting Windows that allowed hackers to break into computers on a hacked network, rapidly expand their access, and deploy self-propagating worms.
Impact
5 techniquesAccording to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions ... Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer ... NotPetya ... and Olympic Destroyer
Similar to the original Petya, OpenPetya encrypts critical parts of the NTFS Master File Table (MFT) using Salsa20.
No key even existed to reorder the scrambled noise of their computer’s contents.
OpenPetya encrypts selected parts of the NTFS Master File Table (MFT).
It irreversibly encrypted computers’ master boot records, the deep-seated part of a machine that tells it where to find its own operating system.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
189 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A destructive worm-like ransomware malware cited as an example of rapid global propagation using known, patched vulnerabilities.
Destructive malware campaign that incorporated EternalBlue, initially targeting Ukraine before spreading globally and causing massive economic damage.
Propagating malware cited as causing widespread global business disruption and major insurance claims; discussed in the context of large-scale cyber events with possible state-linked connections and act-of-war coverage disputes.
Destructive worm-like malware that incorporated EternalBlue and spread beyond initial Ukrainian targets, causing massive global damage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.