NotPetya/Petya/ExPetr: Another Global Malware Epidemic #HITsecurity

UPDATED: July 10 2017 12:15pm CST

The True Meaning of a Trojan Horse

A new international malware variant has surfaced, affecting companies and other entities across the critical infrastructure sectors, including the healthcare sector. Information systems across Europe, the United States and elsewhere have reportedly been infected. 

Some researchers call this pervasive malware “Petya” and others call it “NotPetya” or “ExPetr.” The malware uses some of the same old techniques as Petya; previously discussed in past volumes of the HIMSS Healthcare and Cross-Sector Cybersecurity Reports. (Note: In avoidance of any doubt, this malware is classified in a different type of malware family than Petya. This malware shares some similarities, but it is otherwise distinctively different in behavior and action.)

In addition, researchers have characterized the malware a wiper malware rather than ransomware. (Shamoon is another example of wiper malware, as previously discussed in Volume 9 of the HIMSS cybersecurity report.) 

A Sign of Things to Come

By using the “smoke and mirrors” technique (e.g., a wiper malware masquerading as ransomware and other things which have been done to help avoid attribution), the threat actors may have been more successful in damaging critical infrastructure (and other) systems than if they did not deploy such subterfuge. Such damage may lead to disruption and other forms of loss (such as economic and otherwise). If this technique is deemed to be successful by the threat actors and/or others, we may likely see such “novel” malware variants and associated techniques in the future (with some creativity and the element of surprise). All of these things likely afford more time for the threat actors to achieve their ends.

Potential Indicators of Compromise and Other Useful Technical Information

Potential indicators of compromise and other potentially useful information about the malware can be foundhere. Additionally, the malware is reported to encrypt all files with certain file extensions which is detailed here. A technical analysis, including information about the exploits which are reportedly involved, also can be found here and on this page. (Please note: Information in this blog post is provided AS IS for your situational awareness, based upon an analysis of information to date. Accordingly, please note that technical and other information about the NotPetya malware is rapidly changing, as more information is discovered. Additionally, please be advised that, in the case of multiple malware variants, indicators of compromise and other informationmay or may not apply depending upon the specific circumstance.)

>Patch CVE-2017-0144 Now (MS17-010)

There is also a general consensus that all machines should be patched, where feasible, to address the Server Message Block (SMB) vulnerability, CVE-2017-0144 (fixed in the MS17-010 security bulletin). (Note: The WannaCry ransomworm, the first international ransomworm which we previously blogged about, exploited this vulnerability.)

Should You Pay the Ransom? Maybe, Maybe Not.

As a precautionary note, paying the ransom does not necessarily mean that you will get your data back if your machine is infected. But, even if you were to hypothetically make the ransom payment, at least in the cases of some types of ransomware, sometimes additional malware is dropped by the threat actors. Additional guidance on whether to pay the ransomware may be found here.

Lessons Learned from This Malware Campaign

There are many lessons to be learned from malware campaign. Here are best practices to consider implementing now, if you have not already done so:

  • Use the Principle of Least Privilege: A best practice that all of us can implement right now is to use the principle of least privilege. If administrator rights are not necessary, they should not be used. The user should be granted the least amount of privileges (and access) to do his or her job function(s). Regular reviews of user account privileges and job functions is a best practice.
  • Regularly Patch Systems for Old and New Vulnerabilities: The success of this malware was, in part, due to unpatched systems. Accordingly, another best practice to deploy is to regularly patch all systems for both old and new vulnerabilities. (The Conficker worm, which exploits an old vulnerability, is very much alive and well today. The Conficker worm was discussed in Volume 10 of the HIMSS cyber reports.) Keeping firmware, operating systems, programs, program components, and all else up-to-date is a best practice.
  • Regularly Backup and Validate Your Data, Programs, Files, and System Information: When in doubt, it is always a best practice to restore to the last known good state. Accordingly, it always is helpful to have a last known good backup on hand. (This can take the form of the last known good full backup and incremental backups or the last known good full backup and differential backups.) (It is always a good idea to verify and validate all backups.)
  • Think Before You Click: Avoid opening or clicking on suspicious links or attachments. For additional guidance, please refer to the HIMSS “Don’t Catch that Phish – How Not to Become a Victim” guide. Additional tips are available from Europol.

Information from the US Department of Health and Human Services

Finally, the US Department of Health and Human Services has provided the following information. View it at the link below:

HHS ASPR/CIP HPH Cyber Notice: Current International Ransomware Campaign

Additional Resources

  1. NATO CCDCOE: NotPetya and WannaCry Call for a Joint Response from International Community
  2. Petya Malware Variant (Update C) | ICS-CERT
  3. FBI FLASH bulletin: indicators of compromise (TLP:WHITE) and associated XML/STIX file(TLP:WHITE) (automated indicators)
  4. Virus Total information
  5. SOC Prime: Analysis of Tactics, Techniques, and Procedures
  6. ISSP Reverse Analysis of Petya/NotPetya


HIMSS; cybersecurity