The NotPetya Attack
Today, I learnt about some of the technical details of the infamous NotPetya attack from 2017. It’s fascinating to see how this malware combined various techniques for maximum disruption. Here’s a brief rundown:
Initial Infection
- M.E.Doc Software: Attackers compromised this Ukrainian tax software’s update mechanism, making organizations unwittingly introduce malware when updating.
Attack Techniques
- MBR Overwriting: Targeted the Master Boot Record (MBR) to prevent systems from booting up.
- EternalBlue & EternalRomance: NSA-linked exploits targeting the SMB protocol. Used for lateral movement.
- Mimikatz: Extracted plaintext passwords from RAM to aid lateral movement.
- PsExec and WMIC: Legitimate Windows tools used by NotPetya for executing commands on other machines.
Deceptive Design
- Fake Ransomware: Presented a ransom note, but was mainly a wiper. Proper decryption was practically impossible.